Google flags my sites as dangerous (Deceptive site ahead)

hope I don’t jinx myself but for about a 2/3 weeks now ive not had issues after doing this which someone above posted but now seems to be gone?

anyway use these link

1. https://search.google.com/search-console
2. https://postmaster.google.com/
   add your domain to both links by google and then go to security under search console then click on fixed enter some random malarkey then wait for it to happen again in few days but by then you should be hopefully good with google and might have to do the malarkey once more and hope that works.

but i dont know yet if google will still red flag me again but so far no issues.

Would have agreed with you but then I logged in this morning and bam… Back again.

Do you reckon it’s worth doing a coordinated campaign against google? Setup some tickets then get everyone here to jump on and comment. While that is going start a Twitter campaign #googleisbeinga**** (Or something more polite)?

Just as an update:

1. I’m unable to use Google’s search-console because I am using a stock ynh.fr domain. As such, I have no access to my domain’s DNS records.

2. Adding a My_Webapp page and setting it as the default – both as domain.tld/site and at the domain root (domain.tld/), and even with a customised HTML splash page explaining it’s a private server run for a family – made the situation worse. Before, VirusTotal said only Google Safebrowsing thought my domain was a phishing site. Immediately after, I had 2 extra companies think so, and “multiple redirects” was the reason given, as before.

3. I submitted a request for review here (Report Incorrect Phishing Warning) as I said in my previous post, but so far there’s been no change.

I second what others have said about customising the SSO login screen. I know it has been mentioned in passing that it is possible using custom style sheets (CSS) and/or Javascript, but I’m sure I’m not the only one who would really appreciate a step-by-step guide on how to actually do this in the context of a Yunohost server. Not everyone is a web developer.

You could also try asking Google Webmasters for help directly, Google Search Central Community

As another update, I have done the following and now have 7 companies in total marking my ynh.fr domain as “phishing” or “malicious”.

1. Modified the blue “Please sign in to see this content” box that appears above my server’s SSO login fields, so that the text says, “This is a private server for a family’s own use. We aren’t phishing anyone.”
   For anyone else who wants to do this, edit the file /usr/share/ssowat/portal/locales/en.json (or if your locale is French: fr.json), and look for the line that begins with "please_login:".
   For example: "please_login": "Here is some sample text",
   Keep the quotation marks and the comma on the end. Save & exit.
   Check that nginx is still OK by running: sudo nginx -t
   Then either reboot your server (sudo reboot now) or restart nginx (sudo systemctl reload nginx)

2. Followed the instructions here to add robots.txt to the root of the domain.

Strangely VirusTotal gives different results if you type https:// on the front of the URL. It also has results for subdomains I no longer have.

Right, some success.
I realised that the report I made to https://safebrowsing.google.com/safebrowsing/report_error/?hl=en-US hadn’t gone through because of a browser extension I was using, so I turned it off, tried again, and within a few hours, Google Safebrowsing had stopped marking my domain as phishing/malicious.

I have also been writing to the other companies in the VirusTotal analysis results to either flag up my domain as a false positive, or ask them to review it. You can either contact them in the normal ways or use the ‘report false positive’ feature that some of their websites have. Of the 8 that were marking it as phishing/malicious yesterday morning, I’m now down to 2.

since it seems google doesn’t like the redirect url like “sso/?r=aHR0cHD6Ly9wcm9qZWNRG”, why isn’t this ‘r=’ part completely removed?

isn’t it possible to either remove the redirect from site.ltd/sso to site.ltd/yunohost/sso (people will have to type yunohost instead of sso) or to make a redirect without the r= which cause the problem? (even if I understand the problem is google itself)

The r= part isn’t here for nothing, it’s a callback URL meant to redirect you to the page you were looking for once you login … Maybe we could tweak the behavior to use HTTP headers instead, but my rough guess is that it’s gonna be less robust / less practical … I just don’t see anything inherently wrong with using a base64 callback url in query arg, I’ve seen many other software do this as well …

Now it has happened to me as well. The flagged domain.com was behind the SSO while the main domain for login was yh.domain.com while some other sub domains were freely accessible. It started yesterday morning, with 2 companies listing the site, today it went up to four companies: Avira, Google Safebrowsing, ESET (Phishing) and Seclookup (Malicious).

In Google Search Console it says “Deceptive pages”. Tthe sample URL it lists is located on a different non-yunohost-server with no redirects that I just started using for backups. It says

Sample Urls:

http://sub.domain.com/
https://sub.domain.com/yunohost/admin/

I have contacted Google via the Search Console, so far nothing has happened, but it’s weekend…

I have two other Yunohost severs with similar setup, even with different domains, but no problems there. The affected Yunohost server is rather recent, used more for testing than serious stuff for production use. All of them have been updated to the most recent YH version.

Update: Google delisted the domain, yeah! Success! BUT: Virustotal says now: “11 security vendors flagged this URL as malicious”
Yesterday I made the URL open and used Dokuwiki as the main app for the domain.

Maybe the other vendors are slower, they lag behind google. So maybe after a few days, they will delist the domain as well? Let’s see. Otherwise I will deinstall Yunohost on this server and move it somewhere else

UPDATE: In the Google Search Console it is still listed as malicious, but not in Google Safebroewsing according to Virustotal and I can access the domain

If it keeps happening I definitely recommend opening a ticket with the Google Webmasters (link in my post above). I now have an open ticket where I can get almost instant help from a real human each time it happens. They have assured me the tech team has “fixed my problem so it will not recur” but I have now been told that twice, after two recurrences, so I am keeping the ticket open

should we enlessly beg at Google because they break the web due to their horrid monopoly?

Maybe it’s high time at least firefox (and other independant web browsers) remove this stupid fonctionnality to rely on google for telling if a website is OK or not OK…

I received a message from Google

Google has received and processed your security review request. Google systems indicate that [your domain] no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site.

But no change over at Virustotal:

12 security vendors flagged this URL as malicious

So Google is not the only problem here, unfortunately…

EDIT three days later: Still flagged by 11 “security vendors”

Just adding my experience here. I operate https://snipettemag.com, but the admin is hosted on a members subdomain which isn’t actively promoted anywhere. Despite that, the domain has been flagged twice by Google’s robots.

The first time, I filed a review request on the search console detailing the security situation (nobody logged in) and also explaining that YunoHost login pages look the same and that doesn’t mean we’re phishing. I also did a “report false flagging” (or whatever the option’s called) from the scary red page itself, again explaining that YunoHost login pages aren’t phishing (and comparing it to Mastodon). I asked a couple of other users to report it as well, and it went away after a few days.

The next time, another user and I did the “report false flagging” with a more strongly worded “we are not even trying to phish and this is the second time, stop messing with us” message. Later that day, I signed in to the search console but by the time I wrote out a review request it had already been un-flagged. (I was annoyed that the request wasn’t even going through; then I realised it was because the flag had been withdrawn so there was nothing to request for).

It’s still annoying though, and if anyone wants to do a hashtag campaign I’m in. (Ditto for the class action, but perhaps with a bit more thought!)

For reference, here’s the first review request I wrote. Please don’t copy it verbatim because I don’t know how Google will like that, but feel free to modify/rephrase it for your own context.

(Okay, having found and re-read it it’s a lot different than I expected and more like just a bunch of links the second report was more focused on “this is YunoHost and you can’t accuse all YunoHost installations of spam” but unfortunately that’s the one where the filing failed and I didn’t save it! Note that I am usually very meticulous about these things and you might not have to go into as much detail as I did).

My YunoHost website has also been falsely flagged by Google about ten days ago. I appealed with their form and the warning seems to be gone now, but my domain has been put on serverHold status by the registry which I assume was an automatic measure to help prevent potential abuse.

I went ahead and contacted the registry to have the serverHold status lifted but it really sucks that Google seems to be flagging so many websites running YunoHost.

Update: according to VirusTotal, it seems like ESET and Avira also flagged my website as malicious, I have contacted them as well and I hope they will unflag it soon.

Another update: Avira keeps unflagging my domain but it gets re-flagged by them shortly after, I think they might either be basing their flags on other security engines or on the WHOIS information which contains the serverHold status.

Today I installed the a fresh install of the newest version of Yunohost, with a new domain, registered today. 5 minutes after I put the new domain on Yunohost it was flagged by Google Safe Browser.

Please Fix!!

Edit: I was even so dumb trying my main company domain with a sub domain, like host.company.com, the whole f***** domain was flagged.

For all we know, there’s nothing clear to “fix” on our side.

The damn safe browsing gives no clue about what we may be “doing wrong”.

The bug is on Google’s side (and also Firefox’s, which uses this damn “safe” browsing as well), or whichever Virustotal “vendor” is flagging stuff, not ours. Maybe they should stop relying on whatever AI or stupid algorithm system that obviously creates a bunch of false negatives, and maybe they should have some human oversight we can actually talk to …

I didn’t know this was even happening! I use Firefox and I turn off the safe browsing feature so I was blissfully unaware. I do host Castopod so I should probably check to see if it is being flagged or not.

I think Google and others want to control the web so that we don’t go outside their walled gardens…

A good way that works for my server is to change the sso portal and the webadmin page by adding Legal mention as a link.

Like that the page is different of the others.

Thanks for the tip. I was planning on re-purposing the domain but I’ll definitely try to edit the SSO page whenever I install YunoHost again.