Google flags my sites as dangerous (Deceptive site ahead)



I’ve redirected my main URL (which was proposing to login to yunohost) to another service on my yunohost and the google shit disappeared.

The service itself proposes to login (it’s hedgedoc) but it only appears when you click on a link. So a workaround could maybe to use a similar behavior on the main yunohost login page. I understand it’s a PITA, but it seems this ingerence of google in “how a website should be” is driving everyone crazy.

Google is really bad and “evil” (they removed the “don’t be evil” motto from their slogan probably for a purpose)


Don’t forget that it’s not only Google. Google was in my case easy to deal with. But my URL has been listed by 11 other “vendors”, and this is stil the case more than a week after Google delisted the URL. I even deinstalled Yunohost on that server and pointed the domain to another server without Yunohost where it only displays Apache’s default page. Nevertheless nothing changes, still listed by 11 vendors (including some that are used at work, where this URL therefore is blocked). And how to contact all of them? Not so straightforward as with Google, it seems.

(Other stories of Google ruining people’s life : Google just shut down our $1M business | Hacker News)


I don’t use Google for anything, but I still got flagged after my sister (who uses Gmail) emailed my mother (who doesn’t use Google anything) a link to my Element login.

Avoiding Google (/Microsoft/Amazon/Apple/Facebook) is good imo, but it’s not enough unless you can get everyone else to avoid them, too.

1 Like

Got flagged by Google as Phishing and, according to VirusTotal, by Seclookup as Malicious, bringing down my main domain with Akkoma, as well as subdomains: Roundcube, Element, Whitebophir, Listmonk, CryptPad, static html pages. It’s a dedicated server, IP was used by me for a year, never in blocklists, 10/10 mail-tester rating, Let’s Encrypt on every subdomain.

ssowat 11.1.4
yunohost 11.1.12

akkoma 3.6.0~ynh1 (main domain)
cryptpad 5.2.1~ynh4
element 1.11.23~ynh1 (behind sso)
etherpad 1.8.18~ynh2
listmonk 2.3.0~ynh3
my_webapp 1.0~ynh13
roundcube 1.6.0~ynh3 (behind sso)
synapse 1.77.0~ynh1
whitebophir 1.19.0~ynh1 (behind sso)

Links to SSO pages appeared in private Matrix and Telegram chats (with people who have Google services installed on their phones) when I explained users how to sign in, but not on public social media. My SSO page looks slightly different from the YunoHost defaults. Logo and Cyrillic font are added with CSS, contact email is added with JS.

I found no misbehaving apps. The most recent install was Listmonk this week. One unusual thing about my server may be that after creating every subdomain, I turn off both incoming and outgoing email for it and manually remove its remaining autoconfig/mail/config-v1.1.xml about which the diagnostic complains.

I wonder if sharing the URLs without creating links would help everyone. In security articles I have started seeing URLs being shared like this: something[.]example[.]com/nextcloud

Email would be someone[at]example[.]com


That way a hyperlink is never created. There would need to be an explanation along with sharing the URL to clarify.

My server got flagged, too. I only have Nextcloud, Synapse and Element Web apps installed. I don’t use Google services (their services are blocked at the router DNS level). It happened the same day though that I sent a login link to a family member who uses Gmail, so yet again it seems that when Google first detects a server through any of their services they scan and for whatever reason flag it as phishing.

I refuse to register who owns/runs/uses my site with Google though, so I didn’t use search console. I just chose to view the site anyway which in Firefox displayed a warning bar at the top and a button saying that it isn’t a deceptive site. I clicked that, entered the domain name and a comment just saying that the site wasn’t asking for any login details but those of the same site. Next day it was unblocked and VirusTotal has changed from 2 sites reporting it as phishing to zero.

I changed zero code/settings on my site.

I’m sorry for the mistake of posting at the beginning, when there was already a thread on the subject.
These links are the ones that Google returns to the query made.

Link with information on possible causes
Otro link

Check your website for correct redirects

I don’t mind that google decides that my website is not safe. But got a call from my mother panicked that my little music server is hacked…

Here, Google is telling me why I’m a deceptive website.

i just want more info on that music app - was it part of yunohost, should i be worried?

1 Like

You don’t need to be worried, probably because I don’t have it installed on my root domain, it just redirects from my root domain.

The app is Navidrome, check it out it’s amazing!


So far, adding a static homepage didn’t help. Registering in search console and opening tickets didn’t help, they unflagged and flagged again. Sending error reports didn’t help. Last weekend, another appeal. Today, another flag. Google is trying to force me to forget my friends’ domain that used to have perfect reputation and turn $500 of our server payments into waste. Not happening, instead I’m going to drop most usage of Google services in favor of self-hosting and/or competitors, and talk to colleagues and relatives about what they think of Google’s abusive practices and the possibilities of boycotting them.

1 Like

I’m using a domain for the login page that is different from the other domains where I have my apps. Google flags only that domain, the others are not concerned.

Firefox on mobile doesn’t even have an option to bypass the Google warning, nor can’t Google Safe browsing be turned off on FF mobile.

I’m starting to hate the lovely Firefox.

1 Like

My hypothesis is that the crawler is fine with the URL but wants an additional consent step before a redirect. As an experiment, I’ll try replacing the final redirect in access.lua with a 403 HTML response containing that base64 link to which the user would previously be redirected, and the base of the portal URL in visible plain text.

Hello to all resisters! I have the same problem as you all, impossible to get rid of the red flag of google while my site is clean. Did you find a solution to solve this problem? Should we sue Google for this prejudice? Or launch a massive attack to disable Google once and for all?

Little answers to your right questions:

  • Yes and no, we found some solutions to this problem but not The Solution. If you read this thread you can find some of these solutions;
  • Yes, we would sue google and also lunch many attacks against :slight_smile:

Contacting google was easy, after two days everything was okay. The worst problem for me are all the other “security vendors”. My domain was flagged by 11 other “security vendors” according to and I contacted some of them, but only one of them responded, so it seems I have to ditch the whole domain. There might be something in the redirection of the YH SSO.system that triggers the phishing warnings

1 Like

Bonjour, j’ai le même soucis