Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Google Ads Rejected My SaaS as Compromised Site
65 points by madjam002 3 months ago | hide | past | favorite | 60 comments
I’m a solo founder and really struggling to get Google Ads running for my website. My site always gets flagged as Compromised Site and Malicious Software, even though I’ve done several checks that shows it’s clean. Even Google’s own Safe Browsing shows it as clean.

Their latest feedback after appealing suggests I change from a .co.uk to .com to resolve the issue which seems like complete nonsense.

Does anyone have any suggestions on how I can fix this? All of my competitors are running ads and it’s extremely frustrating as a solo founder that I am unable to do so.

Will post my website on request as I’m not sure if I’m allowed to post it.




I'd bet just about anything that Google uses machine learning to decide whether or not to trust a site for ads. It seems like the only solution that would work at a large enough scale to handle that kind of demand (versus more defined but more labor- and resource-intensive malware/fraud detections). I think that also explains why the review process seems so arbitrary and ineffective - in essence, not even Google knows why Google decided your site was bad. I used to help people with hacked websites, but eventually I had to refuse to work on projects where the only symptom was a Google Ads denial because it was such nonsense. In one case a guy completely removed his site and replaced it with a 0-byte page, and even after we saw Google-owned IP addresses doing a crawl in the site access logs, they still told him there was malware (including a list of infected URLs that no longer existed).

If I'm correct, changing your domain might help in that machine learning algorithms consume tons of signals and maybe altering that particular one would push your site under the "bad" threshold. But it might not do anything. It's a super frustrating problem. I hope you can stumble onto a solution or find someone at Google willing to help.


> It seems like the only solution that would work at a large enough scale to handle that kind of demand

It doesn’t work. These automated systems are flagging a (presumably) benign site and an article yesterday regarding their $5M lawsuit for running a scam ad on their SERP for “Coinbase support” suggest the automated systems can be bypassed too.

I’m not saying automated detection can’t be a part of it, but we shouldn’t accept companies automating away decision making as if computer-derived errors are acceptable.

The larger point is that Google isn’t exactly strapped for cash. They could hire an army of reviewers. They just don’t.


Point taken; it "works" for certain values of "work."

> They could hire an army of reviewers. They just don’t.

They may actually do that too, but perhaps there are thresholds that must be met for something to reach a reviewer. I have some sympathy for Google here as I work on email security in a high-volume environment. ML is one tool in the box, and human reviewers are another. Everything is a tradeoff between resources, false positives, and false negatives.

At least my organization's customers can contact support if something is going wrong, but for people trying to legitimately use Google Ads, it can be an extremely frustrating situation of shouting into the void. (And getting boilerplate support answers back from the void.)


Hate to say it, but unless this post gets traction or you have a huge social media following and can successfully go viral while calling them out — nothing will happen.

Tons of Google products are going haywire right now and it’s clear nobody at the Monopoly money machine is at the wheel or even cares.

Google search console was down for multiple days recently. If you check your Gmail spam folder, you’ll see lots of legitimate emails in there from the past few weeks. Google My Business profiles have been disallowing legitimate profile pictures for months. I could go on.


I have (legitimate) emails from google sat in my gmail spam ...


Your domain has a 20+ year ownership history. Are you the first owner? The suggestion that you switch to .com could be a subtle way to tell you that your domain has a bad reputation that cannot be fixed. Once Google thinks a domain is bad, it’s hard to change their mind. If you’re not the first owner, you don’t know what the previous owners did using the domain.


Good shout, I never even considered this. Now that you mention it, I did buy the domain from a seller back in 2020, so yes perhaps this has something to do with it.

I'm checking web.archive.org and it all looks pretty innocent so far apart from the domain for sale pages that started around 2011


> The suggestion that you switch to .com could be a subtle way to tell you

If it is, then they should say what they mean instead.


Yeah, in that case, they're simultaneously hinting that you've been caught in an ML capture net, yet provide you with a means to bypass it, negating the automated mechanism they used to prevent bad behaviour in the first place.


I've run into this "Compromised site" issue before, and it can be a real headache. It's usually due to some security vulnerability that Google is picking up on. I’d recommend scanning your site with a good security tool to make sure there’s nothing unusual going on.

If you’re looking for some specific guidance, I found this article really helpful: https://www.gomahamaya.com/compromised-site-malicious-softwa.... It breaks down the steps to fix the issue. Let me know if you need any more help—I've dealt with similar problems before!

Good luck getting your ads back on track!


I run Google Ads professionally and this has also happened to me. I was never unable to fix it directly. One time, I had a Wordpress site that Google Ads claimed was a compromised site. I migrated it to a landing page provider (Unbounce), and Google Ads still insisted the site was compromised even though Google's tools said the said was clean.

What I did to fix this was to migrate my landing pages to a new domain. (I believe migrating my landing pages to a different subdomain on the same domain would also work, but I haven't tested this.)

You don't need to run traffic to your full website. All you need is a marketing website to run traffic to. That marketing website doesn't even need database integration, so you can put that marketing website on a totally different server.

So to fix this issue, I wouldn't try to fix it. I'd just create a marketing website somewhere else and direct traffic to that.


Thanks, I think you're right. I might try a subdomain and if that doesn't work a separate domain altogether, although I would have thought if I link through to the main site surely they'd still block it.. but we'll see


To be super clear you’re trying to buy ads or serve them? I had a pretty bad experience with buying ads in the past as they kept flagging my account because I was using a virtual CC. I had to reach out to one of my ex-colleagues over there to get unblocked…


Someone should start a fourm for connecting above-board, legitimate businesses with xooglers the way special interest groups connect corporations with former congressmen who want to become lobbyists. You'd hire them as "marketing consultants," and they would be able to represent you.


There was something similar shown here on HN a few months back (but for current Googlers) [0]. Apparently this counts as commercial bribery. I guess ex Google Ads folk giving their market expertise to another company as an SEO Consultant might not be a problem, unless somehow they're breaking an NDA about divulging company secrets or special sauce?

[0] https://news.ycombinator.com/item?id=40431126 "Show HN: Pls Fix – Hire big tech employees to appeal account suspensions (plsfix.co)"


I want to buy ads on Google Search results for certain keywords to direct people to my business. I haven't had any trouble with Facebook Ads in the past


Couple of things you can check:

1. See if VirusTotal lists your site (including subdomains, app.domain and www.domain, etc): https://www.virustotal.com/gui/home/url

If wrongly flagged, reach out to each security vendor manually - takes about 3-5 days to get them to rescan manually and remove any flags.

2. Check for any dodgy javascript libraries you might inadvertently be using. Specifically, just remove all non-relevant JS until you get approved, then you can slowly add them back in if really needed.

Super frustrating that Google has this much power, and totally ridiculous they want you to switch to .com (pretty sure that's an outsourced CS worker giving you a random suggestion).


Thanks I was trying this recently and it came back all green.

On a related note, one interesting thing I did discover, due to a small misconfiguration of NextJS + App Router, I was getting two </html> closing tags in my markup, which https://sitecheck.sucuri.net/ was flagging as potential site compromise, I guess because a site with malware injecting unwanted scripts could cause broken markup as a common side effect? Anyway I long since fixed that and it hasn't made a difference.


This happens fairly often. But honestly it's a bit ridiculous that Google suggests that you change from a .co.uk to a .com to resolve the issue. That is NOT an option unless they're going to pay for the domain and the domain migration.

I would keep pushing back on that, there is no way that you need to move to another TLD.

They say that the site is "compromised and has malicious software", I bet it's actually something else, like a site that you're linking out to that's compromised and malicious--that's happened quite a bit in cases where sites are flagged like this in Google Ads.


The logical thing to do would be to provide that feedback as part of the assessment, if they're linking to a compromised site. Even that seems flawed, however. If OPs site is marked as compromised (and isnt) and someone links to it, will they then also be denied access to advertising because their site is now compromised? Soon thereafter I imagine that we have a runaway cascade and everyone is "compromised".


> Soon thereafter I imagine that we have a runaway cascade and everyone is "compromised".

The web isn't as well woven as it used to be. They'll just harm a bunch of innocent people, not numerous enough for the public at large to even notice.


These stories reappear every now and then here. I remember my startup's domain was blocked by Microsoft Ads (.us TLD). Couldn't even appeal their decision but as a startup David you're rarely gonna go against Goliath and just pick another battle.

A friend's gym, freedomfit.us, a now two year old domain that SSLTrust.com.au lists as clean still seems to hit issues with some people. They moved to another domain, ff-wp.com on another hoster but that didn't help their issues with some people that still can't access it. That makes me wonder if associativity by content is viral to the new domains - from a malware-spreading perspective that would of course make sense but I could imagine this doing more harm than good.

If anyone has insights on best ways to establish trust new domains/startups, I'm sure the crowd would appreciate your time and insights. What I'm doing so far, is trying to manually categorize/list the URLs with the dominant firewall/antivirus vendors, but it's a lengthy manual process and I'm not sure of the benefits either.


Is your domain relatively new? It might be that Google's automated systems don't yet "trust" it due to a lack of history/backlinks, or it could be similar to a flagged domain from the past. This might be why they're suggesting you switch to a different domain.

To improve this, you could work on building more "authority" for your domain by gaining backlinks, which could help increase its trustworthiness. If time is an issue, you might consider purchasing an existing domain with a solid reputation. There are also some SEO tools which can give you insights into a domain.


Ran into the same issue when I purchased a .ml domain (naively not looking into why .ml is such a cheap TLD to buy good names for, it has a super high spam risk). Purchased a different .com domain and haven't had any issues since. I didn't change content or anything, besides changing the domains in all of my links, and the same google ad campaigns and workspace for the new URL were able to be created without issue.


One thing I thought it could be is I use PostHog for analytics / heat map recording, but I tried completely removing it and they still rejected it.


One of my site got flagged as a Compromised Site by Google. I used Posthog on that site as well!


Was it flagged as Compromised Site on Google Ads or actually blocked in Chrome (Google Safe Search)?


Blocked in Chrome.


It looks like you still have rrweb running. Have you tried removing that?


I've readded it since removing it entirely because I haven't got anywhere with Google


Do you get flagged in any databases here : https://www.ssltrust.com.au/ssl-tools/website-security-check

As I know google is partnered with a lot of them and if your flagged in one you’ll need to contact them to get removed.


Thanks, seems to be all clean https://www.ssltrust.com.au/ssl-tools/website-security-check...


I am struggling with this problem also. After several failed attempts at appeals, they also suspended a family member's ads account saying they were detected as related to me. Have resorted to paying thousands of dollars for google un-suspension services. Have never knowingly broke any google rule ever.


Sorry to hear that, what service are you using if you don't mind me asking?


It's not the same thing, but it's still Google, soo.... all three of my kids are on school or club sports teams that use Teamsnap (https://www.teamsnap.com/) for coordination. This includes exposing calendar subscriptions to Google Calendar and delivering messages & event/change notifications via email (and push notification via the mobile app). For some reason, Gmail has decided that Teamsnap is no longer a trusted sender and throws big caution notices with every email. It's exceptionally annoying, and stupid, given what the app is, what it's used for, and how long it's been around. I don't know whether it's an ML heuristic that's picking up on something, whether it's an email server configuration change on the Teamsnap side, or whether Google's just created a bug, but it impacts potentially all of Teamsnap's 25 million users in the US.


Cant confirm, just tried and it got sent into my inbox, no warnings. It even got marked as important.


So, after checking this thread again I went and searched for unread Teamsnap emails in my inbox again. None are displaying warnings now/anymore. This is after several days where all of them were, and since I posted this reply an hour ago the problem has ceased.


Reputation is crowdsourced. Perhaps at some point Teamsnap lost control of their infra and sent out a bunch of malware. Why do you assume the mistake was Google's? Same question for the OP. If Google was trying to tell me my site was compromised the first course of action I would take is to have a look into that, or page secops, before that situation spreads further.


After years of similar issues, why are you giving them the benefit of the doubt? Especially if they won't explain what the issue is and gave out such ludicrous advice to the OP?


Which similar issue? The other people who were hosting malware who didn't realize it?


There have been quite a few complaints along these lines on HackerNews and elsewhere. Sometimes Google gets it wrong, and then people end up stuck, as you can't contact them.


Did said complainants seem to evince competence or willingness to investigate?


As noted, there are years of such complaints. Evince internet search competence.


I'd say Google them but that product has also become terrible.


naïve ideas:

- domain reputation - ip address reputation - hot linked image/css/js from a malware-flagged domain - possibly the domain is highly correlated with a malware / SEO clout ring (a group of other domains specifics used to try and game whatever benefit PageRank may still have)

When I maintained a social media site, we had lots of users hotlink to random websites that hosted an image they wanted to display. If the hotlinked host/domain got flagged as Malware hosting, our user’s page (on our domain) would also get flagged. Note: this was Google Chrome’s malware detection, not AdWords, but it may be relevant info.


happened to my company where i work at, final solution? we nuked the site, basically built a different website, different domain and hosting, Appealed the decision on adwords and cross your fingers, that's the only thing that worked, we were losing customers while we were trying to figure out what was going on (we were on month 2 already, dead in the water no ADs being served). While doing research i came upon the conclusion its either machine learning that is using old data and does NOT refresh that often just to save computing power / costs, or googles tech support does not care.


I've got a similar problem because google keeps saying my site doesn't have enough content. I add content and still get rejected. The thing is my site is a data tool site and not content based.


Just don't do ads


How can we meaningfully answer the question without knowing what is your website?

Can’t you have some respect to other people’s time?


Could it be that you're not prompting for a cookie acceptance?


> Their latest feedback after appealing suggests I change from a .co.uk to .com to resolve the issue which seems like complete nonsense.

Could possibly be a compliance thing on their end. If AdWords is a big part of my funnel, which it is for most Saas companies, I would simply just buy a new .com or use an existing one to run a funnel that connects to the underlying .co.uk site.


Try to advertise on iSocialize.me


what's your website?


https://propertyengine.co.uk


It's plausible that it's being naively flagged as something like phishing/misrepresentation of the ".com" site using that name.


Hmm possibly, good idea. That's a different company based in SA in a different space, but maybe you're right.


Buy uk<sitename>.com or <sitename>uk.com and redirect.

(and probably buy the .co.uk as well for the full set)


> Their latest feedback after appealing suggests I change from a .co.uk to .com to resolve the issue

I wonder if what they take issue with is that propertyengine.co.uk and propertyengine.com are different businesses.

I mean it doesn't make a lot of sense to take issue with that, but I wouldn't be surprised if that's what it ended up being.


i dont know how to fix this...id go for alternatives, maybe if they see someone elses ad there theyll reconsider their position


OP wants to run ads on google search that point to his website. Not really an alternative to that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: