LinkedIn treat fly.dev urls as malicious

A month ago I deployed my personal portfolio website on fly.io. Initially everything went great I shared it on Facebook and LinkedIn with no issues. Today I noticed that if i click on the link preview or any reference to my portfolio from LinkedIn I get this error:

I tested a few different website that have a fly.dev url and every single one is giving me this error so far. Google “site:*.fly.dev” or test with your own project.

Is it a known issue or is there a fix for this?

Sounds like a LinkedIn problem. Do they have a support department you could report it to?

I opened a ticket with them, so far i only got an automated response. I found this help article Malware and Bad Links or Attachments in Fraudulent Messages | LinkedIn Help but none of the links they provide seems to indicate fly.dev as malicious.

Sure, but without knowing how what test they actually do, we’d be guessing what is going on. I suspect the statement that your specific website has been reported (by a human user) is false.

See if you can find a .dev domain that is not with Fly, and see if that triggers it.

I tested boot.dev with no issues. It is really only with .fly.dev urls that LinkedIn thinks the url is malicious. If you Google “site:*.fly.dev” you will see tons of website hosted on fly. So far they all give me this error. But you are right I don’t know what is exactly going on and if I get a response I will make sure to post it here. I don’t know if it is against the rules to post examples of other people projects.

It’s probably against the prohibition on “expos[ing] private information” to link a specific user name to a .fly.dev domain, if they haven’t already done so in their own posts.

Just repeating domain names that you found in a Google search doesn’t seem like it would be, but if you want to be extra circumspect about associating other people’s work with a third-party malware alert (even a false one), you can use debug.fly.dev, rtt.fly.dev, and flynthetics.fly.dev, which are all maintained by Fly.io themselves.

2 Likes

Thank you for the info and great suggestions! I tested debug.fly.dev and I got the exact same error, here is a short clip of me testing it with a throwaway LinkedIn account https://drive.google.com/file/d/1n1LVLs06tc3EpNXq9FoUi8s6OosV1H6j/view?usp=sharing

1 Like

I am also experiencing this error “.fly.dev” coming from LinkedIn
I thought perhaps it was how I have Open Graph tags configured on my Rails site, but this only recently became an issue. The links had been fine since last year

Have you reached out to LinkedIn about it yet?

The best solution is to get your own domain.

Free domains are commonly exploited for malicious purposes. Not only on Fly but also other platforms like Cloudflare Workers.

3 Likes

I reached out to LinkedIn support and so far the back and forth hasn’t been productive.

  • I contact them about the issue.
  • A bot reply with something about recovering password but its not related to the issue?
  • I reply that this is not the issue.
  • They ask for a screen recording, i provide it.
  • They say that the website was flagged for malicious behavior.
  • I reply with proof that my website is not malicious and is my portfolio website.
  • They ask me to verify my open graph protocol headers.
  • I reply with proof that they are fine with their own post inspector tool and ask to elevate my ticket.
  • They reply with a link to stack overflow (isn’t that website basically dead now?)
  • I reply that stack overflow can’t remove malicious flags from linkedin.
  • They ask to access my account to “better understand what the issue is” and apparently they don’t need my password to do that.
  • I then tell them that if they access it to not mess with my connections, delete or messages anyone and provide proof that no security vendor according to Virustotal is flagging my website as malicious.
1 Like

Although i agree that it is indeed a solution and i agree with what you said about free domains i worry that it might not be a good idea because from what i have seen at a few places there is also .com urls wrongfully being flagged. Currently i cannot get my own domain, so i changed my contact info on LinkedIn to only include my github profile and i only refer to my portfolio on other platforms or on my CV. It is unfortunate that LinkedIn is doing this because what if you just want to share a fun little project? You might not want a custom domain for everything. Thank you for the suggestion regardless.

I send you both congratulations and commiserations :zany_face:. You’ve given it a good bash, but a village was temporarily deprived of its idiot when the replies were written. It’s not impossible in our global dystopia that this was an AI agent, of course.

I still maintain that it’s LinkedIn’s responsibility to fix this.

I personally still enjoy it, but for my very peculiar sins, I am more of a curator than an asker/answerer now.

My ticket has been escalated, maybe there’s hope. :folded_hands:

1 Like

Well good news! The support finally came back with a reply and my website has been whitelisted. So if someone find this thread in the future there is only 2 solutions really: open a ticket with linkedin and annoy them until they whitelist your website or get your own domain :slight_smile:

1 Like

i appreciate that you logged the workflow for us. i assume that there are teams at Linkedin that have a pseudo sudo or doas function.

i wouldn’t say stack is dead :laughing: they’re just tired of teaching stupid people how to politely use their website without being taken advantage of. Ironic that LinkedIn is probably one of the stupid people abusing and misusing Stack, then pointing fingers at them as if they’re even involved.

personally i am fine with linkedin making their platform utterly useless for all humans because its certainly nearly useless for me anyway so one big takeaway for people that haven’t encountered it yet: LinkedIn generally doesn’t care about anything but their revenue so blocking possibly malicious outbound links from a weirdly reputable site is always in their best interest.

i had to wait a couple of weeks before my recently registered domains with all dmarc/dkim/spf sewn up and everything — many relays greylist or just nope when receiving a MAIL FROM user@newdomain.com command.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.