Google detects zimbra login pages as phishing sites.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
eranga
Posts: 22
Joined: Sat Sep 13, 2014 3:20 am

Google detects zimbra login pages as phishing sites.

Postby eranga » Mon Mar 13, 2017 3:04 am

Dear All,

We are an ISP and we maintain many email servers for customers most of which are zimbra servers. From the last week we are facing a weird issue where google safebrowsing is detecting some webmail urls as deceptive/phishing sites. Has anyone else had this problem? It takes 3-4 days and 3-4 reviews before google finally removes this warning.


User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2644
Joined: Thu May 22, 2014 4:47 pm

Re: Google detects zimbra login pages as phishing sites.

Postby jorgedlcruz » Mon Mar 13, 2017 11:07 am

Hello,
Make sure you are running the latest Zimbra versions, plus you are not serving any virus/malware from inside the nginx/jetty. Also review the SSH access, to check no one accessed, etc.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
denos
Posts: 2
Joined: Thu Mar 16, 2017 7:36 pm

Re: Google detects zimbra login pages as phishing sites.

Postby denos » Thu Mar 16, 2017 7:39 pm

I'm seeing the same thing. It appears to be a false positive at Google. I have just started the delisting process so the delays you're describing at Google aren't encouraging.
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 257
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: Google detects zimbra login pages as phishing sites.

Postby tonster » Fri Mar 17, 2017 1:45 am

Would definitely help to know what version of ZCS this is found on, so we can determine if there's a commonality there.
denos
Posts: 2
Joined: Thu Mar 16, 2017 7:36 pm

Re: Google detects zimbra login pages as phishing sites.

Postby denos » Fri Mar 17, 2017 3:22 am

Sure, I wasn't thinking of this as a Zimbra bug so didn't think details were needed. I was running RHEL6 - 8.6.0 1194 (patch 6), but updated to 8.6.0 1211 (patch 8) hoping it might change whatever is triggering this. I use a ZFS filesystem and was able to compare daily snapshots back to December with no change in the integrity of the /opt/zimbra/jetty* content so it really does appear to be a Google false positive.

Firefox uses the same phishing list and is also displaying a bright red "DANGEROUS" page for the webmail login. What's disturbing is that Google doesn't consider this type of block serious. It effectively damages the reputation of the domain, halts traffic to the site and insinuates some kind of proof exists that phishing has occurred. Their best effort of a few days to possibly (based on the original comment) look into the problem is staggeringly smug / complacent and the delist form doesn't require any contact information so they clearly aren't interested in any kind of interaction with affected parties.

For anyone else that is affected, here's the form:
https://safebrowsing.google.com/safebro ... ror/?hl=en
guitardood
Posts: 10
Joined: Sat Sep 13, 2014 3:30 am

Re: Google detects zimbra login pages as phishing sites.

Postby guitardood » Thu May 18, 2017 7:06 pm

Has anyone found a solution this this issue? Contacting google via their search console yields a 'Review failed for' response. The site HAS NOT been compromised in any way and is pretty standard Zimbra (Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 FOSS edition) installation on Ubuntu 12.04.5 LTS. The site is only publicly accessible for a few sales people who need to access the zimbra web client remotely, otherwise it is just being used internally.

[rant]This is a completely ridiculous overreach by Google in their attempt to police the internet, without properly staffing the maintainers of the so-called 'blacklist'. The reputation of both Zimbra and my recommendation to the customer to use Zimbra are both being completely sabotaged with this big red warning PITA screen. I cannot believe they have not been subjected to many lawsuits regarding this reputation damaging and unprofessional overreach. The site has never even been submitted to Google for indexing purposes and they have chosen, unilaterally, to index and report on this private email site. Interestingly enough, it is tied to their regular 'www' site in the search console, despite their being separate servers on completely disconnected systems (www is hosted on a third party hosting system, zimbra is hosted internally). Soooo damn annoying.[/rant]

I'm planning, this weekend, to upgrade Ubuntu to 16 and then get Zimbra upgraded to 8.7.9 in the hopes that this otherwise 150% functional email system can get delisted by Google as being a 'Deceptive' social engineering site.

Any help anyone could provide would be greatly appreciated.

Best,
guitardood
guitardood
Posts: 10
Joined: Sat Sep 13, 2014 3:30 am

Re: Google detects zimbra login pages as phishing sites.

Postby guitardood » Fri May 19, 2017 3:47 pm

I have no confirmation of this from Google, but, apparently, Google's reason for this behavior is related to using '302-temporarily moved' instead of '301-permanently moved' for redirects from HTTP to HTTPS. On the site which I was having problems, we're using the 'z-push' software for ActiveSync emulation into ZCS and was using a meta-refresh tag to send non-ActiveSync connections to the secure Zimbra server running on port 444 (the activesync/z-push apache is using 443).

Once I changed the logic to use Apache's PassProxy for all connections except for ActiveSync and got rid of the meta-refresh directives, the Google accusations of having a deceptive, malware serving or possibly hacked site, was resolved. Again, I have no confirmation from Google regarding the exact reason for their red-listing of our server in the first place, nor that the reason it is delisted as being due to the removal of the meta-tag directive. The only reference I was able to find regarding this was a single thread in Google's webmaster-support forum: https://productforums.google.com/forum/?utm_medium=email&utm_source=footer#!category-topic/webmasters/malware--hacked-sites/lM3vpHcnfR0

Very bad form on Google's part and an extremely stupid reason for them to designate a site as unsafe, however, that seems to be the problem. Hope this helps someone else experiencing the same issue.

Best,
guitardood

P.S. Here's a link to a conversation I started regarding this and the arrogant smugness of Google flag-wavers that this type of unwarranted red-listing of someone's private server is somehow a-ok: https://productforums.google.com/forum/?utm_medium=email&utm_source=footer#!msg/webmasters/qpjaIkPjU4Q/sd-AhTJeBgAJ

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 23 guests