Cloudflare apparently has 14% to 16% of the DNS market but only serves 10% of domain names for spammers, according to this blog post. That means a site being hosted on Cloudflare is actually a reason to trust an email more, not less, by pure statistics.
Unlike other hosts, Cloudflare offers a DNS server that’s easy to script against, cheap, and actually works well. A combination of three factors I haven’t seen another DNS host do. Of course spammers are going to flock to services like these. Kick over Cloudflare and the next most bot-friendly DNS provider will take the spammers instead.
I get why that one security vendor published a blog post about Cloudflare recently (after all, they make money selling scary news articles) but I don’t really get why Spamhaus is publishing this. They link to their own “how to prevent abuse” page which comes down to “take basic personal information (because criminals would never lie), don’t take crypto (anonymity == criminal), use our various services”.
As for the “bulletproof hosters” part: Cloudflare tries not to make ethical decisions about their customers. Given the position they’re in as middle man to at least 20% of the entire internet (80% of CDNs), I don’t think I want them to make any decisions about who can and who can’t use their services. In fact, if they start picking and choosing their customers and what they host, that increases their liability when illegal stuff does happen on their platform. The internet is free because hosters don’t need to manually approve the stuff they’re hosting as long as they follow up on legal issues; if they start picking and choosing, they’re on the hook for stuff they misjudged or missed.
SpamHaus can flag Cloudflare domains as a spam/phishing risk if they want to (but I doubt they will, as that would affect their own emails as well, seeing as they are hosted behind Cloudflare). I don’t see why they would need to make a public blog post about their problems.