I’ve redirected my main URL (which was proposing to login to yunohost) to another service on my yunohost and the google shit disappeared.
The service itself proposes to login (it’s hedgedoc) but it only appears when you click on a link. So a workaround could maybe to use a similar behavior on the main yunohost login page. I understand it’s a PITA, but it seems this ingerence of google in “how a website should be” is driving everyone crazy.
Google is really bad and “evil” (they removed the “don’t be evil” motto from their slogan probably for a purpose)
Don’t forget that it’s not only Google. Google was in my case easy to deal with. But my URL has been listed by 11 other “vendors”, and this is stil the case more than a week after Google delisted the URL. I even deinstalled Yunohost on that server and pointed the domain to another server without Yunohost where it only displays Apache’s default page. Nevertheless nothing changes, still listed by 11 vendors (including some that are used at work, where this URL therefore is blocked). And how to contact all of them? Not so straightforward as with Google, it seems.
I don’t use Google for anything, but I still got flagged after my sister (who uses Gmail) emailed my mother (who doesn’t use Google anything) a link to my Element login.
Avoiding Google (/Microsoft/Amazon/Apple/Facebook) is good imo, but it’s not enough unless you can get everyone else to avoid them, too.
Got flagged by Google as Phishing and, according to VirusTotal, by Seclookup as Malicious, bringing down my main domain with Akkoma, as well as subdomains: Roundcube, Element, Whitebophir, Listmonk, CryptPad, static html pages. It’s a dedicated server, IP was used by me for a year, never in blocklists, 10/10 mail-tester rating, Let’s Encrypt on every subdomain.
Links to SSO pages appeared in private Matrix and Telegram chats (with people who have Google services installed on their phones) when I explained users how to sign in, but not on public social media. My SSO page looks slightly different from the YunoHost defaults. Logo and Cyrillic font are added with CSS, contact email is added with JS.
I found no misbehaving apps. The most recent install was Listmonk this week. One unusual thing about my server may be that after creating every subdomain, I turn off both incoming and outgoing email for it and manually remove its remaining autoconfig/mail/config-v1.1.xml about which the diagnostic complains.
I wonder if sharing the URLs without creating links would help everyone. In security articles I have started seeing URLs being shared like this: something[.]example[.]com/nextcloud
Email would be someone[at]example[.]com
Etc…
That way a hyperlink is never created. There would need to be an explanation along with sharing the URL to clarify.
My server got flagged, too. I only have Nextcloud, Synapse and Element Web apps installed. I don’t use Google services (their services are blocked at the router DNS level). It happened the same day though that I sent a login link to a family member who uses Gmail, so yet again it seems that when Google first detects a server through any of their services they scan and for whatever reason flag it as phishing.
I refuse to register who owns/runs/uses my site with Google though, so I didn’t use search console. I just chose to view the site anyway which in Firefox displayed a warning bar at the top and a button saying that it isn’t a deceptive site. I clicked that, entered the domain name and a comment just saying that the site wasn’t asking for any login details but those of the same site. Next day it was unblocked and VirusTotal has changed from 2 sites reporting it as phishing to zero.
I’m sorry for the mistake of posting at the beginning, when there was already a thread on the subject.
These links are the ones that Google returns to the query made.
So far, adding a static homepage didn’t help. Registering in search console and opening tickets didn’t help, they unflagged and flagged again. Sending error reports didn’t help. Last weekend, another appeal. Today, another flag. Google is trying to force me to forget my friends’ domain that used to have perfect reputation and turn $500 of our server payments into waste. Not happening, instead I’m going to drop most usage of Google services in favor of self-hosting and/or competitors, and talk to colleagues and relatives about what they think of Google’s abusive practices and the possibilities of boycotting them.
I’m using a domain for the login page that is different from the other domains where I have my apps. Google flags only that domain, the others are not concerned.
My hypothesis is that the crawler is fine with the URL but wants an additional consent step before a redirect. As an experiment, I’ll try replacing the final redirect in access.lua with a 403 HTML response containing that base64 link to which the user would previously be redirected, and the base of the portal URL in visible plain text.
Hello to all resisters! I have the same problem as you all, impossible to get rid of the red flag of google while my site is clean. Did you find a solution to solve this problem? Should we sue Google for this prejudice? Or launch a massive attack to disable Google once and for all?
Contacting google was easy, after two days everything was okay. The worst problem for me are all the other “security vendors”. My domain was flagged by 11 other “security vendors” according to virustotal.com and I contacted some of them, but only one of them responded, so it seems I have to ditch the whole domain. There might be something in the redirection of the YH SSO.system that triggers the phishing warnings
