←back to thread

Google flags Immich sites as dangerous

(immich.app)
706 points janpio | 7 comments | 22 Oct 25 20:53 UTC | HN request time: 0.906s | source | bottom
1. donmcronald ◴[22 Oct 25 21:46 UTC] No.45675582[source]
I tried to submit this, but the direct link here is probably better than the Reddit thread I linked to:

https://old.reddit.com/r/immich/comments/1oby8fq/immich_is_a...

I had my personal domain I use for self-hosting flagged. I've had the domain for 25 years and it's never had a hint of spam, phishing, or even unintentional issues like compromised sites / services.

It's impossible to know what Google's black box is doing, but, in my case, I suspect my flagging was the result of failing to use a large email provider. I use MXRoute for locally hosted services and network devices because they do a better job of giving me simple, hard limits for sending accounts. That way if anything I have ever gets compromised, the damage in terms of spam will be limited to (ex) 10 messages every 24h.

I invited my sister to a shared Immich album a couple days ago, so I'm guessing that GMail scanned the email notifying her, used the contents + some kind of not-google-or-microsoft sender penalty, and flagged the message as potential spam or phishing. From there, I'd assume the linked domain gets pushed into another system that eventually decides they should blacklist the whole domain.

The thing that really pisses me off is that I just received an email in reply to my request for review and the whole thing is a gas-lighting extravaganza. Google systems indicate your domain no longer contains harmful links or downloads. Keep yourself safe in the future by blah blah blah blah.

Umm. No! It's actually Google's crappy, non-deterministic, careless detection that's flagging my legitimate resources as malicious. Then I have to spend my time running it down and double checking everything before submitting a request to have the false positive mistake on Google's end fixed.

Convince me that Google won't abuse this to make self hosting unbearable.

replies(3): >>45676913 #>>45676967 #>>45677698 #
2. foobarian ◴[23 Oct 25 00:40 UTC] No.45676913[source]
Wonder if there would be any way to redress this in small claims court.
3. akerl_ ◴[23 Oct 25 00:48 UTC] No.45676967[source]
> I suspect my flagging was the result of failing to use a large email provider.

This seems like the flagging was a result of the same login page detection that the Immich blog post is referencing? What makes you think it's tied to self-hosted email?

replies(1): >>45678756 #
4. david_van_loon ◴[23 Oct 25 02:53 UTC] No.45677698[source]
I'm in a similar boat. Google's false flag is causing issues for my family members who use Chrome, even for internal services that aren't publicly exposed, just because they're on related subdomains.

It's scary how much control Google has over which content people can access on the web - or even on their local network!

replies(1): >>45678349 #
5. Larrikin ◴[23 Oct 25 05:11 UTC] No.45678349[source]
It's a good opportunity to recommend Firefox when you can show a clear abuse of position
replies(1): >>45678757 #
6. donmcronald ◴[23 Oct 25 06:17 UTC] No.45678756[source]
I'm not using self hosted email. My theory is that Google treats smaller mail providers as less trustworthy and that increases the odds of having messages flagged for phishing.

In my case, the Google Search Console explicitly listed the exact URL for a newly created shared album as the cause.

https://photos.example.com/albums/xxxxxxxx-xxxx-xxxx-xxxx-xx...

I wish I would have taken a screenshot. That URL is not going to be guessed randomly and the URL was only transmitted once to one person via e-mail. The sending was done via MXRoute and the recipient was using GMail (legacy Workspace).

The only possible way for Google to have gotten that URL to start the process would have been by scanning the recipient's e-mail. What I was trying to say is that the only way it makes sense to me is if Google via GMail categorized that email as phishing and that kicked off the process to add my domain to the block list.

So, if email categorization / filtering is being used as a heuristic for discovering URLs for the block list, it's possible Google's discriminating against domains that use smaller email hosts that Google doesn't trust as much as themselves, Microsoft, etc..

All around it sucks and Google shouldn't be allowed to use non-deterministic guesswork to put domains on a block list that has a significant negative impact. If they want to operate a clown show like that, they should at least be liable for the outcomes IMO.

7. donmcronald ◴[23 Oct 25 06:17 UTC] No.45678757{3}[source]
Firefox uses the same list.