Google flags my sites as dangerous (Deceptive site ahead)

My site is marked as dangerous and I did not use wireguard at all

your site is marked as dangerous because of the SSO has nothing to do with wireguard.

  • when google search is indexing it tries to access the admin parts of your website or domains that the login is behind YunoHost SSO and the SSO redirects google indexer to the SSO portal and google freaks out thinks your sending them to a scammer to rob them or hack them.

only way to avoid this is really do not hide applications or domains behind the SSO and try to use the google search consoles

1 Like

Shit
 j’ai dĂ©cochĂ© les trois cases sous « Protection contre les contenus trompeurs et les logiciels dangereux ».

Cette histoire me va loin
 c’est comme pour les mails, on peut finir dans les spams sans savoir pourquoi (mis Ă  part que les gafam utilisent des mĂ©canismes internes pour protĂ©ger les gens, sans expliquer correctement ce qui se passe).

Edit: 3h plus tard, en cochant à nouveau ces 3 cases
 plus d’alerte. :thinking:

Hello, depuis aujourd’hui, j’ai exactement le mĂȘme problĂšme avec mon serveur : meurthemadon.nohost.me
Impossible de valider la propriĂ©tĂ© du site sur la console google. J’ai utilisĂ© my_webapp pour uploader le fichier de contrĂŽle de google mais la rĂ©ponse est “Votre site est introuvable. Veuillez vĂ©rifier que vous avez correctement renseignĂ© l’URL de votre propriĂ©tĂ©.”

Google also flagged my personal server for “phishing” (behind the login screen also) yesterday, but I got the warning removed in just 24 hours via Firefox’s false positive report tool by saying something like:

This is my personal server where I self-host my services for my own use only. Check yunohost.org for more info.

I’m not phishing anyone. If random person from internet stumbleupon to the site and enters their credentials, it’s none of my business.


I’m stunned that it was the decision was reversed that fast :sweat_smile: I guess I got lucky?

3 Likes

Same procedure and same solution for me! I also mentioned Yunohost so that they can update their phishing models :grin:

1 Like

give it time
 it’d get flagged in again in 1 week to a month.

  • i stopped doing the review 
 i dont care any more
 anything i want seen i dont put behind the SSO.

If that happens again, then I don’t care. I finally disabled safe browsing stuff from my browsers, pretty useless feature to me. And since this is my personal server, I don’t give a f about what Google thinks this server is.

I added robots.txt though (if that’s gonna help, even if it doesn’t, I don’t want my server to be indexed on Google or other search engines) with these instructions: Best way for disallowing robots with robots.txt from everything?

3 Likes

We now know that several recent Mastodon instances had the same misadventure.

It seems that several similar authentication pages on a lot of IP is considered as a phishing botnet.

Do you know any workaround to this problem??

Applying a custom theme to login page can mitigate this problem, it worked for me

Ah I get the same exact issue for one of my Mastodon instances.

Can you give us more info about this? What do you mean more exactly and why would this solve the issue?

What I realized is that some Mastodon pages have an SSO redirect like security=ae917efeb1d0450a48667a989608191230206534 - why? Can we disable that?

Basically the Mastodon “about” page wants to redirect to security=ae917efeb1d0450a48667a989608191230206534

This keeps happening to me as well. All of the domains I have added in Yunohost have a default app, they’re not all static HTML. There is no domain that you can visit, which is attached to my yunohost server, which directs to anything but an app that was installed via the yunohost admin. I would have to remove some of them to create a static HTML page at “/site” so that’s kind of not a solution.

I would love to pay for development on this. If I donate $500, can this be addressed on the development side? Anyone want to sweeten the pot with me and add to that number?

5 Likes

I don’t claim to have a solution but I am just throwing here my 2cents solutions
probably not a perfect one.
But since this had happen to me twice and both time I got it solved almost fine following below procedure.

First of all, make sure you know that your server has not be compromised.
Then you need a gmail account.
Log in
Go to postmaster console
Add your domain
It will give you a unique code that you will use to create a TXT DNS entry at your provider.
Go to you DNS provider add the TXT DNS field and click back on verify domain ownership at google postmaster tool.

Then go to “Google Search Console” and add your domain, it shall be already recognized as yours because of previsous step.
Then you shall see a warning telling you about the security issue. Eventually you might get details specific to why it is considered as dangerous.

There you can fill up a request for review where you explain a bit that everything is fine and you are a responsible admin and very aware of security practices and proactive in taking great care of your server etc


It did work for me and both cases I found out why.
The first time it was a cryptocurrency related project that I was hosting for a hackathon
The second time was a wierd sub-domain I created with an hash
but funnily enough I kept some hash domains for quite long and no issue.

At the end I think avoiding google is good but you cant help if other you share your server link does avoid google too. That is exactly when I got issues, if I don’t share my server url around then I don’t get flagged


(class action sound like a great great idea, who is in ?)

I put your question in the contributor meeting of this evening Instance Etherpad Publique de La Quadrature Du Net

1 Like

As simple as being able to display a message on the login screen as a declaration on who is operating the website would be fantastic. Seems to be the baseline requirement that Google wants.
Specifically on the /admin and /sso login pages.

1 Like

What are you basing this on? Google published something?

here

2 Likes

Hi there, i was flagged few days ago.

My server is installed at my home (laptop with Debian OS), with static public IP and my own domain with CloudFlare SSL

I use some apps in subdomains, like:

  • excalidraw to collaborate with my team (i could post links to this in gmail)
  • Drupal to test migrations from Worpdress
  • AdGuard as home DNS

for now i’ve used “Report incorrect phishing warning” form and waiting for response. Maybe i’ll try to use some advice from this topic (like static app, robots.txt, theming login form etc).

But ultimately i can live with this for now (i use this rather for my own apps only)