Update (2021-01-09): There’s a newer blog post that covers different CloudFlare deanonymization techniques (with a real world case study).
Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission.
Understandably, the photographers and fursuiters whose work was ripped off by this website are upset and would like to exercise their legal recourse (i.e. DMCA takedown emails) of the scam site, but there’s a wrinkle:
Their contact info isn’t in DNS and their website is hosted behind CloudFlare.
You might think this is a show-stopper, but I’m going to show you how to get their server’s real IP address in one easy step.
Ordering the Server’s IP Address by Mail
Most knock-off site operators will choose open source eCommerce platforms like Magento, WooCommerce, and OpenCart, which usually have a mechanism for customers to register for an account and login.
Usually this mechanism sends you an email when you authenticate.
(If it doesn’t, logout and use the “reset password” feature, which will almost certainly send you an email.)
Once you have an email from the scam site, you’re going to need to view the email headers.
With Gmail, can click the three dots on the right of an email then click “Show original”.
And there you have it. The IP address of the server behind CloudFlare delivered piping hot to your inbox in 30 minutes or less, or your money back.
That’s a fairer deal than any of these knock-off fursuit sites will give you.
What Can We Do With The Server IP?
You can identify who hosts their website. (In this case, it’s a company called Net Minders.)
With this knowledge in mind, you can send an email to their web hosting provider, citing the Digital Millennium Copyright Act.
One or two emails might get ignored, but discarding hundreds of distinct complaint emails from different people is bad for business. This (along with similar abuse complaints to the domain registrar, which isn’t obscured by DNS Privacy) should be enough to shut down these illicit websites.
Epilogue
The technique is simple, effective, and portable. Use it whenever someone tries to prop up another website to peddle knock-off goods and tries to hide behind CloudFlare.
5 replies on “How to De-Anonymize Scam/Knock-off Sites Hiding Behind CloudFlare”
Hey Soatok,
I was recently given the opportunity to write an article review of the upcoming movie “The Fandom”, which airs live this July 3rd on Amazon Prime and YouTube. I wanted to inquire about the possibility of having my article featured on your Blog. My article can be found at https://fuzzballstorytime.com/the-fandom-documentary-a-blast-from-the-past/. Thanks, and have a nice day!
Sincerely, Joshua Bergren
A.K.A “Moonraiser”
[…] this year, I detailed a simple technique for deanonymizing scam sites on CloudFlare, by getting the back-end webserver to email you and reveal the server’s IP address (so you […]
[…] Of course, I was able to track them through every account change. And I’m going to explain how to do this because stopping scammers is kind of a recurring theme of this blog. (Cough cough.) […]
[…] which all appear to have since been taken down, then proceeded to teach the furry fandom how to deanonymize scam/knock-off sites on CloudFlare (and the scam/knock-off site in question went down within 24 […]
[…] you remember last year, I published a blog post about identifying the real server IP address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use […]