Deceptive Site Ahead

[GodBleak]

Describe The Bug A domain hosting Jellyfin is flagged by Google as a "Deceptive Site".

Steps To Reproduce Unknown

System (please complete the following information):

• Browser: Firefox, Chrome
• Jellyfin Version: 10.8.5 (linuxserver/jellyfin:10.8.5-1-ls180)

Additional Context Google claims that https://example.tld/web/index.html

attempts to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.

I've appealed to Google twice now, but the domain continues to be flagged. This issue has been further documented on a few reddit posts:

• Deceptive Site Ahead
• "Deceptive site ahead" warning on my self hosted jellyfin web app

[thornbill]

Does entering your url here provide any information about what they believe is an issue? https://transparencyreport.google.com/safe-browsing/search

We really have nothing to go off of for this currently.

[GodBleak]

Unfortunately, this is all it says

Current status warning This site is unsafe

The site https://example.tld/web/index.html contains harmful content, including pages that:

• Try to trick visitors into sharing personal info or downloading software

I'm unsure how I'd get more info. I'm open to sharing the domain with a maintainer privately, if it helps.

[thornbill]

Are you using any third party css?

[lednerg]

The same thing just happened to me tonight. My server's been using the same IP (from Comcast) for at least a couple years now. I'm currently on version 10.8.1 and am not using any third party CSS. I have the following plugins installed: (PNG of plugins page).

EDIT: This is blocking the Android app from working as well. So while web browsers can bypass the warning, and I can still access it on the local network, my server is completely inaccessible on remote Android devices.

[GodBleak]

Sorry @thornbill, was only just notified of updates on the thread, no I'm not using any third-party CSS

[mcshaman]

Same issue here!

[viletuna]

I'm also having the same issue. Twice now with two different servers. Both were using duck DNS and caddyv2. Requesting Google to remove the flag worked temporarily before being flagged again

[GodBleak]

I've done a bit of digging. It seems the YunoHost community is also experiencing this. With further digging I found a few things that leads me to suspect our domains are being flagged for "Insufficiently labeled third-party services".

1. While not directly related to Safe Browsing (and thus this error), I found this notice from NameCheap:

   Please be informed that the xxxxxx domain name was reported as involved in abusive activity by a trusted organization. During the investigation, it was noticed that your website content is a copy of the Bitwarden official website. On that ground, we were forced to suspend the domain name due to phishing activities, which include unauthorized use of the legitimate organization denomination and attempts to acquire sensitive information such as usernames, passwords, etc

   And they follow that up with:

   you will need to provide us with paperwork proving your cooperation with the Bitwarden website and their consent to use their official denomination in your domain name.

   This indicates that NameCheap is actively identifying and responding to IP (intellectual property) violations used for phishing. Since Bitwarden is another self-hostable, open-source project, it's highly unlikely that this action was prompted by the Bitwarden team themselves. This suggests that NameCheap is independently detecting supposed IP violations and issuing notices accordingly. This behavior appears similar to what we're experiencing with Google, hinting at a broader industry trend.

2. This comment regarding the Deceptive Site warning also seems to indicate that this is more of a branding/IP problem, rather than just an issue with the source code.

3. And this comment on StackOverflow where someone supposedly received the warning on a site imitating Netflix, also believes that the issue is a result of the imitation.

4. Eventually, I found this article by Google on social engineering where they show deceptive content examples

   This one caught my eye.

   Its layout is similar to the JellyFin login page, right? A page at the root path of a domain (true for both the OP of the YunoHost thread and myself) using a trusted third-party's logo in an authoritative position, with the page's sole purpose clearly being to collect credentials. YunoHost shares this layout as well. Additionally, both apps use the product name in the page title, along with the product's logo as the favicon.

I surmise that the combination of the following elements

• the page title being "JellyFin"
• the page favicon using the JellyFin logo
• the authoritative location of the JellyFin logo
• the page's sole purpose being to collect credentials, and
• the service being hosted at the root path of the FQDN

leads to Google thinking we're trying to impersonate JellyFin.

[mcshaman]

Interesting hypothesis @GodBleak. Do you know if it is possible to override all these on the landing page?

[thornbill]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.

https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

[NeonWizard]

I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.

[VTStation]

I disputed the "deceptive site warning" through the Google search console about a week ago, and the error has yet to come back.

I'v had this issue since mid of sept , lodge a review to google via search console ,they would lift the block and then aweek later it will be blocked again. I'v been blocked 4 times , rebuilt the server the first time after finding no issues , they still blocked it and i have continued to send them the same review response " please stop blocking this private site " they have lifted the block every time.. Iv stopped sending reviews to google 'i gave up .. using jellyfin in kodi app is my work around .

[lednerg]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information.

https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.

[VTStation]

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information. https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on line.

I also have qbittorrent web server running and that is blocked by google its not limited to jellyfin, Alot of people are running

I suspect the meta tags here may be to blame, but someone would have to test that to verify since Google is providing no usable information. https://github.com/jellyfin/jellyfin-web/blob/master/src/index.html#L15-L19

Twelve days ago I changed all five of those meta tags in my jellyfin-web\index.html file so that they're all unique to my server and I have yet to be blocked by Google again. I've logged in and out remotely several times since then using Google devices/programs. I'm not saying I'm sure this is definitely a fix, I'm just sharing my experience. BTW, editing that file was a pain since it's all on one line.

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now .

[lednerg]

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now

I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.

If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".

[VTStation]

Are you able to compare from previous versions of the jellyfin server ? if this tag had changed after the update causing google block? as iv been running jellyfin for a few years with no issues up until now

I found some older versions of the index.html file going back to last November and those meta tags haven't changed. If the tags are what the issue is, then this is something new that Google has started doing all of the sudden. I'm just a layman but I looked into what those "og" (Open Graph) tags are about and it appears that people have done phishing scams using false og tags as a way to trick people into thinking they're logging into their bank or whatever.

If this is actually what the problem is - and we don't know yet - then that would mean Google sees that your Jellyfin server has an "og:url" tag pointing to "https://jellyfin.org" - but that isn't your server's URL, so Google may be assuming you're trying to spoof people. Again, we don't know if that's what's going on. FWIW, I changed my "og:url" to my server's IP address, and changed "og:title", "og:name", and "og:description" to "lednerg's Jellyfin Server".

I changed those og tags and guess what ", google blocked the site :/ . Is it because google detected change ?.. I'll send a review to get it unblocked with this current change , see how long it remains unblocked .

[lednerg]

It could be that you didn't change them soon enough, but like I said, we don't actually know what the problem is.

After my server was blocked by Google, I turned it off, got my IP unblocked, and temporarily switched to using an Apache server. I only turned Jellyfin back on after changing those meta tags. That was 16 days ago and my server hasn't been blocked since. I've been accessing the server from outside of my local network practically every day, in ways which would be going through Google Security, such as through Chrome browsers and Android devices. Unfortunately, I can't revert the tags back just to test if it'll block me again because I'm using this IP and Jellyfin for work; I use it to serve videos I make for my clients.

[optroodt]

I'm facing the same issue, requested to be reviewed once after which the warnings disappeared, only to return a few days later. I went through the verification process on https://search.google.com/search-console, and then this caught my eye:

Could it be because of the service workers that Jellyfin uses? Maybe in combination with the og:url tag and asking for login details?

[VTStation]

this is what is on mine.

[Hukuma1]

Battled with this earlier. Took down my whole domain. Luckily disputing it seemed to have corrected it. Not happy to read it can still happen after, and multiple times no less...

[lednerg]

After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.

[VTStation]

After three weeks or so with it being fine, Google has flagged my server again. I have no idea what to do, but I obviously can't use Jellyfin anymore. Just wrote a detailed saga to Google about it, but who knows if that'll even reach a conscious human.

Same here just got blocked that didn't last long, so the tag mod did not do anything :/

[VTStation]

Google still flagging site, but strangely Android apps are working ... Anyone else experiencing this to ? .. maybe google has made an exception ?

[optroodt]

FYI Without doing anything to Jellyfin, Safari no longer displays the warning for my domain, but Chrome still does.

Edited: after a week or so, it's back again in Safari too. The iOS clients worked while Safari did not show the warning, now they've stopped working.

[mike948]

I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on <mydomain.tld>" and the warning is back. It says the deceptive page is https://mydomain.tld/web/index.html

Details about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.

[VTStation]

I got the same warning a month ago. Afterwards I added the domain to Google Search Console and filed a review. Within a couple days they removed the warning. I just got a new email from Google Search Console saying "Social engineering content detected on <mydomain.tld>" and the warning is back. It says the deceptive page is https://mydomain.tld/web/index.html

Details about my setup: Running Jellyfin in Docker with Nginx Proxy Manager and cloudflare-ddns. Additionally have the Cloudflare DNS proxy status enabled and Cloudflare's Web Application Firewall setup to block all access outside the USA.

There is no fix ,. Google never ending flag , lately apps on tv and app still works which is all that matters..

[devopstagon]

I suspect it could be reverse proxy settings. This block seems to cause issues:

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

At least this is my initial suspicion.

[VTStation]

Iv experience with and without reverse proxy .. google just flag regardless.

[candry7731]

this seems like it worked for me...... I have gone 2 weeks without being flagged again, after I changed the tags

[misterkiem]

I got flagged last Sunday (2022.12.25) and after reading about this issue I immediately submitted a review request on google search console. flag was removed on Wednesday (2022.12.28), and then just auto flagged again today (2022.12.31). I have just updated the og: meta tags as suggested here and will report results in a few weeks

[candry7731]

Yep, I changed the meta tags and got tagged again........

Not sure whatelse to do.

[GodBleak]

I've dug into the Safe Browsing project a bit and couldn't find any information on how projects such as jellyfin are supposed to deal with this, couldn't find any formal contact information for the project either, the only contact I could find is @loicbertron -- a Engineering Manager for the project (whom tastefully has the notice as his cover photo on mastodon), I sent him an email a month or so back bringing this to his attention and got nothing but radio silence back.

Considering the ramifications of being on this list, the broken appeal process, and the lack of resources and/or tools to ensure the code we write meets whatever arbitrary standard they're imposing on the wider web, I'm, at this point, calling the Safe Browsing project a malicious and thinly veiled attempt by Google to control the wider internet under the guise of "protecting the public". So much for "don't be evil"

[nimids]

My Jellyfin server just got hit with this, it flagged all of my subdomains. Added the domain to Google Search Console and requested review. Really hoping it gets unflaged, as I use the domain for many other things. Then I'm going to enable basic HTTP auth on my reverse proxy in a hope it will prevent reflaging. As without a password they will only get 401 Unauthorized. Unfortunately, I don't think the non web clients support that.

[candry7731]

@nimids make sure you change the html meta tags. Then submit for review.

I had to submit for review 1 more time after I changed the meta tags and have not been flagged again. I was flagged 4 times in total.

[misterkiem]

Just updating from this comment. After updating the meta tags I resubmitted for review and the flag was lifted within 2 hours. It has been 3 and a half weeks since then with no problems.

@nimids the process I specifically followed was this:

1. Edit index.html in the jellyfin web folder (path to this can be found in the admin dashboard at the bottom)
2. Search for "og:", it will highlight a bunch of meta properties.
3. Change all of them (og:title, og:site_name, og:url, og:description. og:type can be left on 'article')
4. Resubmit your site for review. In the comments for the review I specifically mentioned that I changed the og: meta properties to something unique from jellyfin.org

[seclusionenthusiast]

A good alternative to changing the meta tags may be to just link this thread when requesting a review. I pointed out this was a well-documented issue with Jellyfin and they lifted my flag within a couple of hours.

[OdinGitDat]

I really don't think it matters what you write when requesting a review. I left the textbox practically empty and the flag was lifted after 2 hours.

I believe speculating here about what works is pointless without any proof or confirmation from someone at Google.

[christovic]

I didn't want to have to worry about changing the tags so I've done this, hope it helps someone.

I've created Dockerfile next to my docker-compose.yaml with the following content:

Feel free to change "My Jellyfin" and "https://jellyfin.example.org" to whatever you want.

FROM jellyfin/jellyfin:10.8.9

RUN sed -i -e 's|<meta property="og:title" content="Jellyfin">|<meta property="og:title" content="My Jellyfin">|' \
    -e 's|<meta property="og:site_name" content="Jellyfin">|<meta property="og:site_name" content="My Jellyfin">|' \
    -e 's|<meta property="og:url" content="http://jellyfin.org">|<meta property="og:url" content="https://jellyfin.example.org">|' \
    -e 's|<meta property="og:description" content="The Free Software Media System">|<meta property="og:description" content="Private Media Server">|' \

and my docker-compose.yaml from:

image: jellyfin/jellyfin:10.8.9

to:

build: .

[alanmccallum]

I was using jellyfin.example.tld

Prior to being flagged I was using Ngnix Proxy Manager with a simple Let's Encrypt cert for the subdomain.

Last week my Ngnix Proxy Manager install became corrupted, so I set up a new install. After the reinstall of NPM I used Let's Encrypt along with a DNS challenge to GoDaddy with a wildcard for the subdomains.

My entire domain was flagged as a deceptive site a day later. I disputed with google with no change.

I updated the tags in Jellyfin as previously documented, and used a fresh domain - video.otherexample.tld - using the same NPM and GoDaddy account. The new domain was flagged within a couple days.

This may be a coincidence, but the timing is odd.

[harrv]

I've done a bit of digging. It seems the YunoHost community is also experiencing this. With further digging I found a few things that leads me to suspect our domains are being flagged for "Insufficiently labeled third-party services".

1. While not directly related to Safe Browsing (and thus this error), I found this [notice](https://www.reddit.com/r/Bitwarden/comments/t4n84j/comment/hz5udac/?context=3) from NameCheap:

Please be informed that the xxxxxx domain name was reported as involved in abusive activity by a trusted organization. During the investigation, it was noticed that your website content is a copy of the Bitwarden official website. On that ground, we were forced to suspend the domain name due to phishing activities, which include unauthorized use of the legitimate organization denomination and attempts to acquire sensitive information such as usernames, passwords, etc

And they follow that up with:

you will need to provide us with paperwork proving your cooperation with the Bitwarden website and their consent to use their official denomination in your domain name.

Indicating that the action they're taking is to recognize IP(intellectual property) violations used to phish. Furthermore, it implies the action is automatic and not at the request of the maintainer (Bitwarden)

2. [This comment](https://www.reddit.com/r/linux/comments/8x75f0/comment/e21lr3o?context=3) regarding the Deceptive Site warning also seems to indicate that this is more of a branding/IP problem, rather than just an issue with the source code.

3. And [this comment](https://stackoverflow.com/a/68468475) on StackOverflow where someone supposedly received the warning on a site imitating Netflix, also believes that the issue is a result of the imitation.

4. Eventually, I found this article by Google on [social engineering](https://developers.google.com/search/docs/monitor-debug/security/social-engineering) where they show [deceptive content examples](https://developers.google.com/search/docs/monitor-debug/security/social-engineering#deceptive-content-examples)

This one caught my eye.

Its layout is similar to the JellyFin login page, right? A page at the root path of a domain (true for both the OP of the YunoHost thread and myself) using a trusted third-party's logo in an authoritative position, with the page's sole purpose clearly being to collect credentials. YunoHost shares this layout as well. Additionally, both apps use the product name in the page title, along with the product's logo as the favicon.

So I think the combination of

* the page title being "JellyFin"

* the page favicon using the JellyFin logo

* the authoritative location of the JellyFin logo

* the page's sole purpose being to collect credentials, and

* the service being hosted at the root path of the FQDN

leads to Google thinking we're trying to impersonate JellyFin.

After reading this issue and all of the comments up to now, I'd say this comment by GodBleak appears to be the most likely cause of our personal servers getting flagged. Google bots assume that our Jellyfin instances are all trying to impersonate https://demo.jellyfin.org/ because the login pages are all nearly identical (including elements like favicon and the login page title, Jellyfin).

Short of convincing Google that the users of our sites are not being tricked into giving up their login credentials for demo.jellyfin.org, the best way to avoid getting our servers flagged as deceptive is to change as many of the common elements as we can. Jellyfin devs could help with this by providing a robust customization feature that allows elements such as page titles and all branding images (including favicon) to be changed by the Jellyfin admin. (Elements that can only be seen after you have logged in wouldn't need to be changed, necessarily, to help with this specific issue. Just things that can be seen before logging in would be inspected by the google bots.)

By the way, Emby users are also plagued by this lately (same issue there with Emby instances appearing to impersonate https://app.emby.media).

Please don't bother replying to give your personal anecdote about getting your site removed from Google's list by simply requesting a review, or by changing the tags on your page. Both of those things are hashed to death in previous comments, and both have ultimately proved to be only temporary solutions. Sites are ultimately flagged again for same issue.

[FastThenLeft]

My site flagged as "Deceptive" yet again. After reading TONS and coming across the same article as @harrv above, I agree.

The site is here if you want to read it: https://developers.google.com/search/docs/monitor-debug/security/social-engineering

The site specifically has information for sites using a "third-party service". Maybe that would be helpful: https://developers.google.com/search/docs/monitor-debug/security/social-engineering#third-party-guidelines

[FastThenLeft]

I decided to put the Google "Third-party service guidelines" right here so you don't have to go anywhere to read them:

Third-party service guidelines If you include a third-party service in your site, we recommend that you meet the following conditions in order to avoid being labeled as social engineering:

• On every page, the third-party site clearly includes the third-party brand in a way that ensures users understand who is operating the site. For example, by including the third-party brand at the top of the page.
• On every page that contains first-party branding, explicitly state the relationship between the first and third party, and provide a link for more information. For example, a statement like this: This service is hosted by Example.com on behalf of Example.charities.com. More information.

A good usability guideline is whether a user viewing the page in isolation understands which site they are on, and the relationship between the first and third party at all times.

[mcshaman]

I shut down my jellyfin server and put in a request with Google (through search console) to unflag my domain about 4 days ago but it is still flagged. How long does the typically take? Does Google communicate the progress of the process?

[alanmccallum]

It took them about two weeks to clear my flags.

On Mon, Mar 20, 2023, 1:42 p.m. McShaman @.***> wrote:

I shut down my jellyfin server and put in a request with Google (through search console) to unflag my domain about 4 days ago but it is still flagged. How long does the typically take? Does Google communicate the progress of the process?

— Reply to this email directly, view it on GitHub https://github.com/jellyfin/jellyfin-web/issues/4076#issuecomment-1476903481, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6HDQ22GZ5BK2USVOVPWEMTW5C6KBANCNFSM6AAAAAARJ7HJOM . You are receiving this because you commented.Message ID: @.***>

[FastThenLeft]

Hours for me.

On Mon, Mar 20, 2023, 4:42 PM McShaman @.***> wrote:

I shut down my jellyfin server and put in a request with Google (through search console) to unflag my domain about 4 days ago but it is still flagged. How long does the typically take? Does Google communicate the progress of the process?

— Reply to this email directly, view it on GitHub https://github.com/jellyfin/jellyfin-web/issues/4076#issuecomment-1476903481, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7K5ROZOCULWYFOLNB6JW3W5C6J7ANCNFSM6AAAAAARJ7HJOM . You are receiving this because you commented.Message ID: @.***>

[nimids]

I removed basic HTTP auth on my reverse proxy to use a non-web client got near instantly got a message about Social engineering and a deceptive page listed on Google Search Console.

[morkyy]

I just started getting the exact same issue last night. Pretty bummed that there is no fix yet as this has been ongoing for over 6 months.

[chenichadowitz]

I ran into this over the last few weeks and tried to push the support team on what exactly triggered the flag. I also pointed them to this issue. After some back and forth, this is the result I got from them:

We received an update from our team. We cannot provide further details on how our system detect suspicious pages from your website. Please ensure your website follows the guidelines laid out on including a third-party service on your website to make it clear about the relationship between your site and the third-party. https://developers.google.com/search/docs/monitor-debug/security/social-engineering

So.....not all that helpful, but perhaps confirms some of the suspicions mentioned in previous comments? Zero guidance as to specifics, however. To be honest, even getting in contact with a person was difficult (I ended up calling the google domain abuse phone line listed on whois, which led to them creating a support ticket via email....)

[GodBleak]

I can't recommend this hack, as I'm certain I've seen some articles stating that it can actually be a cause of the issue, but I can't seem to find these articles again to cite them (Edit: Was a comment on one of the Reddit posts I linked). So for those at their wits' end and willing to take that risk, it may be worth trying the following before giving up on Jellyfin.

I've moved Jellyfin behind an NGINX reverse proxy, and have been using it in conjunction with a script to automatically update the NGINX config to deny access to Jellyfin from any of the IPs Google has listed as being used by Googlebot. I made this change on the first of January in a hope that Safe Browsing relies on Googlebot to make the decision of whether or not to flag the site and this would essentially prevent it from reaching any conclusion. So far, it seems to be working.

This will obviously hurt search rankings for your Jellyfin instance, but I think, for most, that's not going to be an issue. Also, I imagine there isn't overlap between the IPs Googlebot and other Google services (like Chromecast) use, but if there is, this would also affect Jellyfin's ability to use those services.

If you're going to try this, and your domain is currently flagged, follow the appeal process and wait for the flag to be removed first, as Google will crawl your site as part of that process.

[chenichadowitz]

Interesting, I'd be curious to hear any feedback after running like that for a while. I'll mention that I'm already running Jellyfin behind an nginx reverse proxy, and that after the first or second instance I did try changing the tags mentioned previously. Since I have a (semi)active case open with support, I may leave it as is for a while and see if it gets flagged again without any further changes. If it does.....I may try the same thing if you've found that to be effective.