Google flags my sites as dangerous (Deceptive site ahead)

,

Hi! Just bringing not-so-good news but I suspect this might have to do with some internal scoring Google (or any other phishing list provider, Cisco, Fortinet, etc. they share their data that’s why it often appears flagged in 3-4 databases), and I suspect some of the websites get a bad scoring because of a combination of these factors:

  • weird/cheap TLD used by phishers: some engines automatically give a bad score to those
  • newly seen domains: I know that Cisco for example offers a DNS service that can block all domains not in Cisco’s database yet. This is very efficient against phishing since that’s how phishing websites operate. This would also explain why sometimes the website is unblocked after a few days.
  • maybe as mentioned, the fact that the website redirects to a login form also triggers their scoring algorithm since it looks like a phishing form (but I don’t believe what was mentioned earlier with the 301 and 302 redirects, as 302 redirect is the correct use for an SSO login)

So as a solution I think we’re stuck with asking whichever vendor to lift their ban on a flagged domain…




Google thinks my Private Home Assistant that runs on YunoHost is trying to scam ppl… a private website… ugh im so sick of this

so mad i cant even use the home assistant app soon as i open it it sees the scary msg it now crashes and wont stop till google fixes my domain i can only access their through a web browser right now but on tablet web browser on split screen looks strange

Version of yunohost: 4.3.6.3 (stable)
Version of ssowat: 4.3.3.1
Where is hosted your server: VPS Ionos
Apps list: Jirafeau 4.4.0 ynh1 // nextcloud 22.2.10~ynh1 // prettynoemiecms 2020.01.07~ynh2 // rainloop 1.16.0~ynh4
Domains number: 4
Affected domains: 3 (fcostes.fr / files.fcostes.fr / docs.fcostes.fr)
For each affected domains, give a link to the virus total test: fcostes.fr
files.fcostes.fr
docs.fcostes.fr
page SSO du domaine fcostes.fr en erreur
Have you put some links on social media (like youtube, instagram, etc.) which display the sso page ? NO
Have you find an app that was infected ? If yes, which app ? NO

Hi everyone, i’m also experiencing this issue of wrongful phishing notice: the first one in early may, then a second time and third time in a row on the 1rst and 6th of August.
For the 1rst and 2nd notice, a simple reaxam form did the job without doing anything on the server. I applied a 3rd exam this morning and waiting.

What happened between the 2nd and 3rd notice is the use of Jirafeau and the download of a file uploaded on the jirafeau instance by a third-party user (normal use-case).
Could this use-case have triggered the Google Safebrowsing phishing notice ?

Have a good day all, i’ll update this post to keep you informed if needed

Fabien

this has been happening to BTCPay servers as well

the BTCPayServer folks thought maybe it was because 1 btcpay server was used by someone in a malware campaign (ransomware) so now some app somewhere thinks all of them are malicious.

But this theory flagging based on “redirection to a login page” behaviour – thats interesting. Cuz I know BTCPayServer does that too. Perhaps there is a fix that us software developers can implement by “hiding” the login page or requiring users to click a link before it displays the login form?

edit: note this is just a theory!! AFAIK we have no idea why these flags are happening

I looked to find someway of having a static ‘home’ page as the landing page, but could not find any option or app like that in YNH. I don’t mind having to click out to my login page … it’s an extra click but not a big deal. Anyone know how to make this happen?

I’m not familiar with YunoHost so I’m not sure how to achieve it, perhaps you could edit the nginx configuration file and then restart nginx?

This appears to be the file defining redirect to login behaviour yunohost/redirect_to_admin.conf at dev · YunoHost/yunohost · GitHub

location / {
    return 302 https://$http_host/yunohost/admin;
}

and it looks like redirect_to_admin.conf gets installed by this script yunohost/15-nginx at 140e50253fac0d3c9aa6fcab9e392a462c914e98 · YunoHost/yunohost · GitHub

    nginx_dir="/etc/nginx"
    nginx_conf_dir="${nginx_dir}/conf.d"
    ....

    mkdir -p $nginx_conf_dir/default.d/
    cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/

so it looks like that file would be in your server at /etc/nginx/conf.d/default.d/redirect_to_admin.conf

Also I should point out, what I said is pure theory and speculation, we have no idea if this is actually the cause or not.