This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
What would you do in Google's place?
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I hope it's because I have small simple email and not because they want to steal it.
I get TONS of emails of people trying to join services that use my address as a "fake email".
Etc.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
Netflix, for one, didn't do this. They kept allowing this guy to "resend his confirmation email" periodically over several months (I never had a Netflix account).
My theory is that it was an affiliate scam of some sort; someone probably got paid for everyone who signed up with his code. So he "signed up" thousands of random mails in the hope that some of them would click through on the "you're almost ready to start your Netflix journey!" mail and actually subscribe to Netflix.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
After a few months, I told them I was concerned about the privacy ramifications and would have to report it to their state insurance regulator, and it was very quickly fixed.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
Malicious in-attention then, by the profit driven org? :)
Relevant xkcd:
Yeah, I get the same regularly.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
I believe they included the “unsubscribe” link too…
how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do
https://tldrisk.com/beyond-basics/reclassification/
> This basically makes the entire TLD unviable for serious use.
It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..
The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).
.store .online .tech .site .fun .pw .host .press .space .uno .website
So, might as well to block entire TLDs and never buy a domain under those TLDs
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
I use them when I need a random domain.
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
Yet more monopolistic power to Google.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
What is to stop everyone from doing this blacklisting?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
Because keeping Google happy or at least not bothered is an existential priority for registrars
Which likely is slow without a poke it's reasonable to base the decision on whats available.
That's just how reputation works.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
There are lots of domains out there other than .com that are just fine.
If you plan on building a legit site, do not use any of these cheap TLDs.
I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.
These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.
There has to be a better way to police this stuff.
Free is good, but sometimes it's not.
We struggled a lot when we opted for the .online domain for https://pinggy.io urls
> Not adding the domain to Google Search Console immediately.
I don't understand. What is Google Search Console, and should I add all my domains there right now?
And yes, you probably should, if only to pre-register your ownership thereof if google ever decides to nuke you from orbit
Google's way of tying real identifies of people to domains, without making it explicit.
Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).
Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.
But if you do - you would get some notifications from Google about that website/domain.
I've only ever seen emails of the "There's an increase in 4xx/5xx errors on site/page(s)"
Was called webmastertools before.
You can also request Google to index your site on GSC as well.
You should probably add your websites to GSC.
I'm not particularly familiar with SEO or the massive black box that is Google Search - is this really as critical as the author makes it seem? I have both .lol and .party domains, both through porkbun (and the TLDs seem to be administrated by Uniregistry and Famous Four Media, respectively), and both are able to be found on Google Search. It seems like this preemtive blacklisting would be the result of some heuristics on Google's end; is .online just one of the "cursed" TLDs like .tk?
It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.
(I don't think it has much effect on google search placement at all)
I've also never added domains to Google Search Console and haven't had blacklisting issue other than with a free .ml (another "cursed" TLD) site that was by default assumed to be spam by Facebook Messenger.
It's unfortunate that this category exists, but I don't share the OP's .com purism; I've used a mix of TLDs and even the cheap ones like .fyi and .cc haven't come under extra scrutiny as far as I can tell.
That should be enough to trigger an antitrust case against Google and a split of its activities. When despite unrelated, it becomes the gatekeeper of your presence in internet.
Safe Browsing itself has an appeal process so I think legally they're covered. Users and governments surely appreciate someone filtering bad actors online, even if casualties don't.
The moment that 80%+ users go to internet through their browser but at the same time control which we site can be accessed with their safe list.
The moment that you need to create an account and start using their services and accept their terms and conditions to be removed from wrongfully added "list" impacting someone.
Want to set up a new domain for whatever purposes (conference, new product, etc)? Be prepared to spend the first half a year fighting the various blacklists before people can actually reliably connect.
Would make so much sense if you could just have a .well-known/other-domains.txt (or something something DNS) with a list of domain names that should be considered just as trustworthy as your main domain.
It's not even about .online or other weird TLDs, it's just that the domain is new and therefore "not trustworthy". Even worse if you need to use your existing branding on the new domain - instantly flagged as a phishing site everywhere.
Alas, the .tech domain is quite popular.
https://www.spamhaus.org/reputation-statistics/gtlds/malware...
It said that https://aid.de was available. I was out of the moon happy (silly me) thinking that its such a good domain or something.
Then I saw aid.de available in namecheap for around 2$ ish but for some reason I took a bath and hten later it showed 10$ ish.
Okay, I then went to spaceship and it also showed me aid.de available. I then took my card and signed up
Well the transaction took place but got refunded. It said that there was an issue or something and got insta refunded
Silly me, thought that the payment had issues and decided to do payment again. This time though my refund had to wait 10 days to come back because of international laws.
Now I had only very little amount stuck btu I can see someone losing substantial money/having it stuck
I contacted their support and they told me that both namecheap/spaceship have a bug where some domains show available when they aren't.
I haven't checked but since the amount was like 1-2$ now but this whole thing really soured my relationship with namecheap/spaceship.
For context, before this, I also had a hate/love relationship with namecheap because once I bought a domain with them using crypto and also bought their vpn which was like 20 cents basically
It had auto renewal on and my domain costed 1$ but crypto payment requires 10$ minimum and the VPN charged me money from that.
Luckily I had spotted before the 2nd month and to be honest, like only 1 month 10 days or something and I urged the namecheap company to do what's right (in that moment because a lapse of judgement had been made from my side/error and I hoped that namecheap could realize it and do "right" instead given that the cost was only around 10$ fwiw)
After waiting for many days, they finally did what's right and gave me my credits back as a one off thing and I then turned off their domains.
I also used a crypto swap thing to convert b/w usdc and btc (what namecheap accepts) and I had an issue of doing two times payment after the timeperiod of btc payment (15 mins) but they also fixed that issue by adding the credits manually when I raised the issue.
Their customer support at times can be good but the platform itself is a little shady in my opinion. For the VPN thing if I remember correctly, the auto renew was written with grey and I genuinely didn't read it without my specs.
I am gonna keep my domain with namecheap that I have and if I get deals from namecheap/spaceship then use them, but for individual domains without deals, hell no.
I know that many people don't like the centralized nature of cloudflare but cloudflare is a good thing for domains :/
I personally just buy domains from wherever's there's a deal right now as some domains I have are some that I keep for only 1 year or similar.
To be honest, if I want to pick a domain-thing, I'd rather pick the one which is the cheapest or if not, then the one which only sells domains
I just looked at porkbun and they only sell domain related things and at best mail (they also have a deal with proton which can be interesting to many)
Porkbun is also cheap so I think I would recommend porkbun/cloudflare.
I haven't decided if I will transfer my domains from namecheap or not but their customer service is nice but the same can't be said for their service sometimes in my opinion.
Email isn't decentralized. Mastodon isn't decentralized. Matrix isn't decentralized. XMPP isn't decentralized. The web certainly isn't either.
All of them can be killed by Safe browsing. All of them can be killed by ICAN (which is under significant influence from the US government). All of them can be killed by their domain registrar and registry operator. All of them can be killed by Let's Encrypt adding their certificates to a CRL, and refusing to issue new ones. All of these will eventually be weaponized, when the war over who controls information truly begins.
> Anyone can be killed, my Lord!
So nothing is decentralized?
Somehow, Zoominfo picked up the site, and rated The Aetheric Message Machine Company as having revenue of about $5 million a year and, at peak, 24 employees. We had a back story for roleplay purposes, in the operating manual for the cosplayers.[2] Someone apparently took it seriously.
That was a fun project.
[1] https://vimeo.com/124065314
[2] https://aetherltd.com/public/othermanuals/operatormanual05.p...
The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._
This means:
- no way to fix accidental wrong "safe search" blacklisting
- if it was your main domain no mails with all the things it entails
- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain
Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.
Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.
You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).
That's not me saying there shouldn't be a warning and a recourse, but the time-to-profit for domain abuse is really short so anti-abuse actions have to be quick.
The only issue was the usual trap with all Namecheap domains: They tell you it's all set, and it works, until they randomly email you a week later asking for email verification. If you don't do that promptly, they suspend your domain until you trigger a resend. Which is easy to fix but also strange.
So yes, this appears to be a TLD- (or at least registry-) specific issue.
https://prezkennedy.com/2026/01/15/the-free-domain-trap-the-...
> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.
Also, some TLDs directly speculate on having very low prices for the first year or two, then 10x it on year 2 or 3.
Also, go figure Namecheap works with these morons.
.store, .online, .tech, .site, .fun, .pw, .host, .press, .space, .uno, .website
not sure about other registrars
Sorry, can’t buy a frame.work laptop because that’s a “Malicious TLD”, according to the folks at ZScaler.
I suspect there is something the author is not telling us.
OP says:
> no gore or violence or anything of that sort
That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.
We understand how frustrating it can be when a domain stops resolving unexpectedly. We’ve sent you an email with more details on what happened and the steps taken so far. We’re also reviewing this internally to understand why the domain was flagged and how we can reduce friction in similar cases going forward. We’re happy to continue the conversation over email and share any additional context if helpful.
Thank you.
I was price-gouged out of owning a single, rare .icu domain when renewal fee for it went from 20 usd to 220 usd overnight, just for this one domain... I'm pretty sure it's not Gandi, but the TLD opetator, because other .icu domains I've had were fine. I decided to eventually abandon them all anyway. Moved away from Gandi later when they started doing gouging of their own, too.
What is HN's opinion on Dynadot?
Getting Google to index my personal site has been a pain. Every other search engine works fine, but ever since I switched the images on my site to .webp (a format created by Google!), my site's content just doesn't get indexed anymore. I've given up since web search traffic matters less and less these days with LLMs, and it only really bothers me when I'm trying to search for my own articles.
I use my older, much longer domain for email and identity (it used to be #3 on SERP for "Sid"). This one is just for giggles so I can blog in peace without affecting the main one.
It's quite possible that the domain you chose was registered previously and dropped because the previous owner misused it and burned that domain. The .ONLINE extension has been around for several years now.
And you have system and reputational damages.
Go for small claims suit, $5000. It'll cost more than that for their attorney to go to your jurisdiction.
(IAAL, but this is not legal advice. Consult a licensed attorney for legal advice.)
it's not meant to have any other consequences
so basically what happens is that because of hearsay of google thinking you site is not bad Radix does what normally should involve a judge order (taking down the whole domain)
(1): Yes that still would cause damages on any site with customers, but like way less and way more fixable then what happened here.
Similar issues to .io happened with the popularity of .tv domains, which again is a ccTLD. The government of Tuvalu sought to increase income from sales of their ccTLD and prices went up. Tuvalu is such a small nation .tv domain sales ended up making a significant part of the State's income.
Another fun example of the mess you can get into with ccTLDs was when the UK left the EU. All UK registered .eu domain names were cancelled following the UK exit from the bloc.
gTLDs generally have some degree of insulation from State-level politics. ccTLDs permit the nation or territory they represent much more say in how they are priced and who they are sold to.
Lots of good stuff in this thread I was not aware of. I have a few vanity domains with personal projects so it's not a big deal if they have low SEO but good to know going forward that I should be prioritising country domains like the Irish .ie one instead of 'fun' looking domains that are memorable.
If you were a lawyer, you could have fun with this.
Btw, perhaps unrelatedly, we had a domain marked as unsafe by Google as well for no particular reason.
Or don't want to pay a $2k ransom to a name squatter... For some businesses that is a rounding error (saas, other high volume high margin stuff), but for small businesses like restaurants or event planners, spending that much on a domain name would be foolish.
No thanks.
especially country level domains, they are not regulated and your register can ignore whatever requirements they have to fullfil
I wouldn't party too soon - from my experience getting something removed from Google's libel machine doesn't mean the same process that put it there in the first place is fixed and it you will most likely go through the same thing again and again.
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is just another way how Google has inserted themselves as the gatekeeper of the web.
At first I was stoked to have a two letter domain, but then I looked into it and learned these companies will get you hooked with a low initial price, then jack up the prices as the domain becomes established.
Quite the grift. My plan is to tread lightly on that domain and be ready to back away from it when the rent seekers move in.
You’d think there would be some sort of rules to the neutrality of these TLD administrators, but nope.
The second time around I wised up and go ogplus.net for an API domain instead of ogplus.media. I’ll take neutrality over vanity any day.
and if hectic maybe .io
How on earth we ended up with this company bother anyone including those that want their services? Imagine that you could get your driving license banned because you did not buy a toyota...
ftfy
The bigger problem is the unbanning - for which there should be a better system, probably that should take the form of the registrar having a short grace period to aid in the Google stuff (DNS verification etc.) with additional checks by the registrar to make sure it's not being used for spam/malicious content.
The other point being why was Google banning you so quickly? This is the opaque part. Was the site reported? Was there some URL hijinks? That's the thing you'll probably never find out.
If the registrar tracks this information, a possibly helpful course of action would be to notify or warn the domain owner that they are on the list.
In the modern adversarial web, I do not want a registrar that proactively disables my domain because of some third party report.
The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?
> Add a DNS TXT or a CNAME record.
I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.
Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).
Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.
so no this is absurdly unreasonable actions
that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU
