zlacker

Hetzner just turned off our hole domain, without contacting us first at all! All servers unreachable, 10k angry customers hammering us. All because if they receive a trademark complaint they won't contact the domain owner first and give them reasonable time to "fix" the "issue" (even 2 hours would have been enough). No, they just turn off the production server and simultaneously send an e-mail "you better respond to their complaint if you want your domain back up".

Totally unprofessional and a complete joke. Will never use them on a production system again. Always angry if they are mentioned here like they are a legitimate choice...

>>dinkbl+(OP)
What about their hosting? Do you use that and encountered any problems ever?

>>dinkbl+(OP)
Hetzner is a budget server host as is OVH, and which you shouldn't assume a professional service. You get access to a server, free hardware replacements and a network, that's it. It cheaper and easier to mitigate any issues by slamming the power switch and than notifying you.

Folk ask why I colo. And the why is because it's my hardware. If my host is to touch my kit without my permission or a subpoena they'll get slapped with a solicitor.

>>1dontk+44
My experience with small-scale hosting for a few years there (on an enterprise user account) met no problems - but, also, we met no technical problems requiring interaction with support staff.

>>dinkbl+(OP)
Heroku did this to me. A former employer was mad at me for daring to leave my job and made a malicious DMCA claim against my website. Heroku took it down with zero notice and treated me like a criminal when I called them to quit their bullshit

>>beeboo+o6
The power of false DMCA takedowns is just insane. You can get a copyright strike if your fucking keyboard makes too much noise.

>>dinkbl+(OP)
Are you sure they turned off the domain?

Your case sounds like one of your IPs got blocked in their firewall, which can happen if you use bittorrent or receive a DMCA strike. But then other IPs associated with the domain would still work fine.

That said, yes, their abuse team is rather trigger happy. I've had disagreements with them, too. They can be VERY German ;) But in general, calling them on the phone can fix these cases within minutes.

>>double+O4
Anecdotally, we herited a ovh dedi infrastructure when signing a new client and tbh its been going swimmingly. I think the Incident made them really up their game.

>>double+O4
If that were it then there wouldn't be a problem. You don't even have access to the server you paid for.

>>beeboo+o6
If this was a business site and you had a service interruption you should absolutely sue them for damages.

>>double+O4
That doesn't solve the issue of making a domain unresolvable if the registrar chooses to do so like the case in here, or does it?

>>hattma+Yd
It can. By becoming your own registar. Granted that costs $$ but solves the problem of if a register is deciding to axe you.

>>dinkbl+(OP)
Hey, that reminds me of Cloudflare's response to Phishing Reports. Someone claims you're phishing? Page gets locked and there's no recourse. You can reach out to Trust & Safety, but I've never gotten a reply in over a year. Tech support just says "sorry, we can't do anything about it". So you either live with some page(s) on your site getting a big fat "EVIL LURKS AHEAD" warning, or you migrate off of CF.

That said, with Hetzner I've had the trademark complaints as well, but they've always given us 24h, and were always okay with us saying that our usage (e.g. showing a logo of a shop next to their review) was fair use.

>>fxtent+t7
yes, they turned off the domain (macupdater.net) because one app-vendors of an app listed wasn't happy that we advertise their app for free. they cited trademark issues and contacted the host hetzner instead of us (grrr!). and hetzner just turned off the whole domain without contacting us first. the very same domain was also used as an app-backend service, thats why we got hundreds of complaints in a very short time.

i think giving 2 days before turning anything off would be sensible. 1 day would still be ok. but turning it off immediately without even giving a chance to reply is not acceptable. especially since anyone can send a trademark complaint without providing any evidence. so, if you want to do some domain sniping, look for businesses hosted on hetzner and watch them go down...

>>dinkbl+(OP)
I always separate domain hosting from server hosting, to limit the scope of the outage. If there is a problem with the DNS, I can switch to a different domain for the server. If there is a problem with the server, I can switch to a failover server under the same domain.

>>1dontk+44
We just tried their cloud offering and idk if that's new to them and still in "beta" but you are limited to the amount of VMs you can start because "your account is new" and I have not found a way to open a channel of communication where you can lift that. Other than that their prices are hard to beat

>>double+ne
Is that still $350k minimum?

>>dinkbl+Zi
It really depends in which way they complained to Hetzner. Write a stern email? Hetzner could forward it to you and give time to respond. Preliminary injunction (not uncommon in trademark cases), they'd have no choice in that matter.

Generally, I would recommend not hosting APIs on the primary domain for exactly that reason - it's too easy to be hit with some sort of complaint and have that domain cut off (DMCA, preliminary injunction, SPAM complaint against your mail server, shitty host, ...).

>>luckyl+We
I’d like verification of that behavior from CF.

I have an email from them forwarded by a third party reporting phishing on a CF-DNS-hosted site where Cloudflare denied they had any responsibility whatsoever as “they host no content”.

Of course, it requires a subpoena to discover who DOES host the content, as they are the only ones who know.

>>dinkbl+(OP)
Ouch. I use Hetzner and OVH but after this I guess no more Hetzner for me. I already had an unpleasant encounter described below. Do not want to give Hetzner a chance to screw me with this kind of asshole attitude.

Previous experience: I already had one of our videos suspended for "copyright violation" (this was on media hosting site) despite the fact that I fucken made this video myself. Some company had stolen it claimed as their own and submitted hash. Since mine has the same hash ( duh! ) access to my video was blocked resulting to download complaints from customers who purchased it. I sent numerous complaints with the results that amounted to roughly "fuck you". I've given up but suddenly out of blue after 2 month I received the apology from some C-level of theirs telling me that they were in error and access to my video was restored.

>>fallin+Jc
I think the DMCA protects them against liability for simply staying within the DMCA safe harbor. But if the claim itself was malicious, the DMCA does allow you to sue the person who made the claim.

>>layer8+ok
> I can switch to a different domain for the server.

Sure you can do that for some internal/private service. But how can you do that when you have a public user base who expects a service at foobar.com which has DNS issues?

>>imhogu+4F
You can’t, unless you build fallback domains into the protocol. But at least you can inform your users about the fallback domain instead of having to just shrug your shoulders.

>>Xylaka+bn
> Write a stern email?

exactly what happened. so not even the slightest reason for an immediate reaction

> recommend not hosting APIs

yes! we learned the hard way :)

>>creebl+Up
They'll put a warning message in front of the URL that's been claimed to use phishing ("Warning: Suspected Phishing Site Ahead!"), here's what that looks like: https://archive.ph/qqR8t

They do it for lots of right reasons, I'm sure, but they also do it based on simple claims. While I thought that's a great way to hurt any site if such a claim is all it takes, I haven't experimented with it, so I don't know if you have to make it a legalese thing, or if they do some automated checks. But once you get a site flagged, it'll probably stay so, unless they have some very good connections to CF.

They will forward any complaints also to the hosting company of the origin, but if you're not in luck, the site will be hosted at a questionable company that has no trouble hosting phishing sites. Hetzner for example did quickly react and requested comments from us under threat of shutting down the server. They were happy with our response and their own checks however.

Still, I agree that they should have a way of de-anonymizing who is behind a site, their business is in protecting against technical attacks, not protecting against the law.

>>luckyl+NP
Thanks for that.

By contrast, this is the email that a MAANG company received recently regarding a site being reported for phishing one of their login sites:

https://ibb.co/kcsQN0w

So I guess they are somewhat arbitrary in their phishing actions.

>>dinkbl+(OP)
Central providers should never have the ability to hold your business hostage for any reason.

It's for this reason that people are losing massive amounts of trust in them, yet they seem to be the only viable option for most.

The concept of grace almost doesn't exist in business, and the idea that customers are valuable is all lipservice.

>>dinkbl+(OP)
Their uptime on their 'Robot' 'Storage Box' is also complete and utter shite in my experience. Reading that they plan on hiking the prices due to the cost of electricity, I'm strongly considering cancelling it entirely as it's used for off-site backups.

>>beeboo+o6
That's outrageous. How did this pan out, mate?

>>dinkbl+Zi
Your reply doesn't really include the technical details to know what really happened.

Did they start sending NXFAIL for DNS requests for that domain? That's what "turning off the domain" means. But in that case, API access via IP would continue to work without issues.

Or did they start blocking traffic to the IP that you had associated with the domain? In that case, the domain would continue to work, you just need to switch the IP.

Based on your information so far, I wouldn't know what to do to repair it. I'm not surprised that others were unable to help, too.

>>dinkbl+(OP)
It would be foolish for me to make any judgements based on anecdotes I find in comments, but this is actually quite worrying to me since I have been recommending Hetzner to people who trust me. (Based on having used them for a few years).

So I guess what I really need to understand is whether this is a typical response or if there is more to the story that I don't understand/see.

If you are no longer using Hetzner, which other vendor(s) are you using?

>>jkaplo+Xt
A cursory googling suggests DCMA takedowns would take 1 day, 72 hours, or up to 10 days on various websites/services. If the law does not mandate it be that fast, then Heroku and Hetzner's alleged actions of less than 2 hours notice would indeed be tortuous and interference with business. They are backbones for businesses, they are not twitter.

>>dinkbl+Zi
May be you should tell me which App is that so I could blacklist it just in case I may get sued.

>>antifa+hR2
The DMCA requires that service providers who wish to benefit from the safe harbor preventions act on takedown notices "expeditiously". No precise quantitative minimum or maximum timeline is provided by legislation, but under 2 hours is certainly expeditious.

>>jkaplo+zK3
Under 2 hours is fine for a rando on Twitter, it's not OK to cut off a paying customer after doing zero due diligence.

>>antifa+JY4
Morally and in terms of business sense I agree with you, except I might argue that 2h is too short even for randos on Twitter (especially late on Sunday night) when the allegation is of trademark violation instead of something more urgent to resolve. Trademark matters by definition impact commerce alone, unlike if the Twitter account were compromising computers through malware or harassing or stalking humans.

But to the extent US law applies and the other required details of the DMCA safe harbor are attended to, I do think the DMCA prevents the service provider from monetary liability in this scenario. Of course, criticizing them for acting rashly remains 100% fair game.

(As to the question of whether US law applies: one example you were discussing, Hetzner, is based in Germany and not the US. But I can imagine circumstances where US law might sometimes apply to them anyway, and/or Germany might have similar laws. I'm not an expert on the international angle here, and I'm not a lawyer in any case.)

>>hammyh+rw1
They said I was not allowed to ever host the falsely claimed content on Heroku ever again. They said that I should pursue external avenues for disputing the claim. I took my site off Heroku and kept it offline because of the implicit threats of lawsuits from my previous employer. The site was my online portfolio of work and experience I was using for job hunting. However, my Heroku account was also used to host my profit-generating website/business, and instead of taking down only my portfolio site, they took down every site on my account. My account was completely disabled and I wasn't able to even remove the specific site and put my other ones back online, which is why I had to call them to re-enable it, but only after they treated me like shit and like I was murdering babies even though I told them the DMCA claim was malicious.

I did not mention the former employer or any of their projects/clients by their names and did not include any images of those projects that were protected by any copyright that they held. It was screenshots of the website functionality after I had removed all original styling and revamped it myself (on my own time on my own machine using only publicly available HTML/CSS) from the ground up to anonymize it. All branding and images were removed and replaced. These revamps were never publicly released and were only used to create screenshots to display their functionality. They claimed copyright ownership of the images that I took, on my own computer, that had zero resemblance to their own software except for the workflows that they had. These were all public facing sites and there was no internal/proprietary workflow information being shown. The work being displayed was 100% my own creation during my employment, and I was not claiming any credit for work that wasn't done by me.

I did not bother disputing the fraudulent DMCA claim because my former employer that did it was extremely litigious and loved lawsuits and loved making them as long and expensive as possible to punish the people they were trying to bully into submission. The owner would frequently boast in the (open concept) office about all his lawsuits and how he was forcing people to comply to his demands with the threat of ruining them financially with lawsuits.

It did have an impact on my ability to find new employment, but I found employment anyway. I just made a PDF version of my website (well laid out) and send that with my cover letter.

>>beeboo+H18
Christ, that's absolutely awful. Sounds like leaving was a good decision though, I wouldn't want to work anywhere that toxic.

>>dinkbl+(OP)
Hi OP, I'm sorry to hear about your experience there, and I appreciate you warning people.

I was not aware of their abuse policy when I was forced to move my services from another unprofessional provider. I had settled on Hetzner. I'm glad you said something.

Over the last few days I've reached out to them for further clarification on their policies, and over those (multiple) communications there were enough professional red flags that its become clear they can't be considered for any future hosting of production or professional services.

Initially, I was stonewalled with: --- Thank you for reaching out to us directly to clarify this matter.

In accordance with German law, we are not permitted to disclose internal information to third parties or to review or verify the content of any potential abuse reports. As a matter of fact, we neither can confirm nor deny what is described in that thread. We want to assure you that our abuse team handles cases with care and sets reasonable deadlines and measures based on the gravity of the allegation.

---

I asked about what processes and controls they have in place to prevent fraud, and the written policies and timetables, and they didn't appear to understand English well enough to answer, they thought I was talking about other common forms of abuse rather than fraud.

As a customer, they were unable to provide me with any kind of written policy, adversarial response schedule, or other controls commonly needed to mitigate fraud.

No details or specifics on their policies, other than what they refer to as 'reasonable' time tables based on the allegation which are not clarified further.

It appears they consider multiple complaints more severe regardless of the legitimacy of the claims which they don't appear to evaluate prior to shutdown, and their Abuse Team decides on a case-by-case basis what actions are to be taken, and the response times allowed.

As a result, it appears this provider has an unreasonable amount of counter-party risk associated with it. Any company could file a claim, and hold your business hostage (as OP described).

What's worse, if they suspend or terminate your account as a result without notice; any monitoring that might have alerted you so that you could respond more quickly would likely not function correctly and fail silently without a cross-platform investment.