I received some scam notifications in Gnome! Help me to troubleshoot them and find the culprit

Hello everyone :slight_smile:
This morning I turned on my laptop with Fedora 29 and turned on the usual set of applications I use for my daily job:

  • Firefox (with some extensions)
  • Thunderbird
  • Slack (from flathub repository)
  • VSCode (from the Microsoft repository)
  • Gnome Terminal
  • Gnome Web (with Google Calendar in web app mode)

As soon as they were turned on, I found out in my Gnome notification panel two notifications about some “handy ways to get money”, in a very typical scam pattern. They had a weird application symbol aside which I don’t think I’ve seen before, and there was no indication of the app generating them whatsoever. To try to find out where they were coming from I clicked on them (yep, I trust Fedora’s security a lot) and they just led me to a scam webpage in Firefox.
I checked my email in Thunderbird, but I couldn’t find any trace of scam mail.
Several minutes later, I received another similar scam notification, but this time with the Google icon. It disappeared by itself after about one minute.

I am really concerned about these events, and I am trying to find out where they actually originated. I couldn’t see anything related in journalctl and Gnome Logs. Is there a way to investigate further starting from the Gnome notifications? Or do you suggest another approach?

Thanks to everyone who’ll help me!

1 Like

Hi maikewng

It is dificult to say some ideas that maybe you could try than just i am thinking;

1- Look into the app “settings” of gnome and search into the options programs to see what programs is going notifications to the gnome panel, check if you see something weird (it is not very propable but one should check in first place)

2- Remove cache files from your /home//.cache/ you can do simply running the command:
rm -r ~/.cache/*

(it can help if exit a app what is in running trought cache files into firefox or thunderbid (probably) or others…)

3-Look into the extensions what you did install into your firefox/thunderbird or for the own gnome (maybe some of they is just a font of problems, delete /reinstall them if you have someone installed what one can be supicius)

4-Look into the monitor of process of gnome if you see some app suspicius, you can recive more information with (mouse right-click about the process… you know)

5- Think what you did / changed in the pc just before of this began to happen maybe it will give you some clear idea about a possible origen. Strange repos / applications / etc…

Juts right know it is all thatt i can imagine out, I hope you can find the font of this problem.

1 Like

Hi @maikewng! Welcome to the community! Please have a look at the introductory posts in the #start-here category if you haven’t had a chance to do so.

The most easy and least troubling source of these popups would be website notifications from Firefox (or another browser, but I read you correctly you use Firefox only).

From what I’ve seen it’s possible that they were “saved” from you previous session, that’s why they popped up right after you turned your computer on.

Please check Firefox PreferencesPrivacy and SecurityPermissions (closer to the bottom of the page) → Notifications – button [Settings] to the right of Notifications.

You should see the list of all the sites you’ve given permission to show you pop-up notifications. The culprit can be one of them.


A simple way of checking if it is indeed firefox is to create a new profile and see if these notifications persist:

Please ensure that you’ve closed/killed all instances of your default profile, though.

1 Like

Indeed, it turns out they were just web push notifications sent by some tutorial website I visited. I was not aware that notifications could be pushed even when the sending website is not opened in a tab. It turns out web push notifications are effectively a subscription service!

Thanks to everyone for your support :slight_smile:


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.