Domain Flagged for Suspicious Activity - Google Safe Browsing

Artashes

Administrator
Staff member
This has been one of the most annoying messages from Google Safe Browsing that I've been receiving through my domain registrar for a few months now:

Hello there,

We wanted to let you know that suspicious activity was detected on <snipped> dot com by Google Safe Browsing (https://safebrowsing.google.com) and it has been flagged. This can mean a few things, but generally it means that your domain is being used for what appears to be malicious activity. This probably means your website has been hacked or exploited in some way. For information on how to unflag your site please visit https://developers.google.com/web/fundamentals/security/hacked/request_review.

If the domain was using any of our hosting services, those DNS records and our name servers have been removed to prevent our IP addresses from getting blacklisted. If we receive a complaint or the domain remains listed for too long we may have to suspend it. Please contact support and mention that your domain has been listed in the Google Safe Browsing database if you require more information.

Thank you,
The Porkbun Team

🤮

Problem is, the domain in question has never even been an active website, but is being used as nameserver for a few personal sites. How the hell would it even get on suspicious activity list for malicious activity?

I tried going through the steps to no avail. Has anyone had to deal with this before?
 
A few different ways you can end up on the list;
  1. Potential hack/exploit files stored on the server
  2. Spam previously sent from the domain and the domain is on a blacklist
  3. Redirections - if the page auto-redirects, we've seen those trigger the Suspicious Activity alert
Have a look in the file system for the domain, make sure there is NOTHING there other than your default or text file for the domain itself.

Then check mxtoolbox and check your domain against their blacklist to see if there's anything there.

Also, check "site:domain.com" in your URL (replacing domain of course) to see if that domain is indexed by Google and if there is anything on any URL cache that could give an indication.

I've dealt with the malicious file on website before for clients. Once you clear it and rescan from inside Google Webmaster Console (now Search Central), you can resubmit for inclusion.
 
In my experience Google has a lot of sway on the internet, and when you get these sort of notices it's very hard to get it removed without contacting Google or the specific blacklist you are listed on and requesting your removal.

I highly recommend virustotal.com, which will show you the list of all the blacklists you are on. That way you can reach out to any on that list and request your removal. Mxtoolbox.com is another good blacklist checker, though that one is more for email checking.

Of course I would also recommend some sort of service to scan for malware, but if you are sure that is not the issue I believe you might've been added to a blacklist. Any host that has CloudLinux will usually have Imunify360 which will offer real-time scanning and removal of malware on your hosting account. In some cases this can be more to blame with the reputation of your webhost and IP, and not even related to the content you have on your site.
 
Top