Dealing With Google's Malware Robocop

Google's Judge Dredd-inspired process for dealing with phishing and malware is a nightmare for the self-hoster

We're now self-hosting a number of capabilities, such as our Mastodon server and our PixelFed server (plus of course this blog!) An unexpected problem this has raised is the way Google repeatedly red-lists our domains for hosting phishing sites and malware. The problem with that? We do not and never have done any such thing. This problem is not unique to us; almost everyone who self-hosts via YunoHost encounters it and there is a massive thread on their support forum.

Sequence of block and unblock messages from Google

Why it's happening

Frankly I don't know. I mean, it's obviously part of Google's necessary and welcome defences against the bad guys. I'm glad they do that. But the assumptions on which they appear to be working, their triggers for action and the asymmetry of the process all make me very concerned. Because of some undocumented trigger, Google unilaterally causes everyone's web browser to treat my domain as if it is hosting malware and it prevents staff and clients accessing our production services. Even after clearing a block their bot will sometimes re-apply it the same day – see the screenshot above.

It is false and baseless and the way they misrepresent us to clients approaches defamation (see the warning below) but they do it anyway because we are self-hosting so for them the risk/reward ratio is skewed towards blocking rather than investigating.

Red screen from a browser where Google thinks there's malware

Whatever the reasons, the really big practical problem is the asymmetry of their process for us and every other self-hoster. They are fast and devastating on the “shoot first” front, but slow, opaque and uncooperative when it comes to “asking questions later”. Once Google has red-listed one of my domains, a sequence of adverse consequence follow:

All this happens within a few minutes of the relevant bot deciding my Yunohost LDAP is a phishing site. It can then take several hours for me to be advised they have done this, via the search.google.com portal where I have registered all our domains. If I had not done this, I would get no notifications — in Google's world, convicted phishers get no chances to prove they are innocent and there's no deterministic appeals process.

False Malware Report on Google Search Portal

Once they have red-listed my domain, what can I do to get it unblocked? It turns out Google don't even admit to the possibility of a false positive. All their processes are heavy on gaslighting you into believing you are the problem. So you have to go along with their game and tell them what you did to remove the malware and beg for unblocking via the portal. There's no ticket and no tracking. Even when they finally unblock my domains, they never explain anything – they just tell me to take more care not to let the malware be implanted next time.

Removing The Block

So how do we remove these blocks? I have a well-trodden process that often gets the block delisted within a few hours (although it can take 3-5 days, and the confirmation via the search portal can take even longer).

Taking Action

I can't help thinking Google is out of order here. Making my domains repeatedly unusable, effectively without notification or appeal, and falsely telling my clients and staff that I and my company are a bad actor on the Internet, seems an extreme consequence of their defence actions. It's as if their worldview excludes the possibility that people might be self-hosting servers on the Internet. Or, worse, as if the extremity of their action has the useful side-effect of driving business their way. Personally I think it's time some regulators took a look at things. How about you?


From an original Mastodon thread

To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely doesn't display replies. More.