Prevent Phishing by Blocking URL Shortening ServicesWritten by Paul Cunningham on July 15, 2009
It was reported recently that popular URL shortening services are being exploited by spammers to circumvent common spam filters and trick users into following links to malicious web sites. The explosion in popularity of these services is largely due to the growth in the number of people using Twitter, a micro-blogging service that limits users to messages of 140 characters or less.
URL shortening services allow Twitter users to share URLs with each other without concern for the length of the URL. For example, http://www.veryinterestingwebsite.com/funny-video (49 characters long) can be shortened to http://tr.im/s74hs (a mere 18 characters long). There is no doubting that this is convenient for services such as Twitter, but it really serves no useful purpose for normal email communication.
As Microsoft’s Terry Zink points out:
“I checked out all of these sites… and I couldn’t believe the insecurity running on them! It was unreal! All I had to do was enter in a URL, click the button and bam — I had a compressed URL ready for me to use.
There was no CAPTCHA on the site either, so all that would need to be done is have a spammer write a script to plug tons of these things in there. A spam filter could not easily key on the URL in the message to block the message since the root domain is all the same; the filter would have to travel through to the site and then extract the URL to see if it was good or not.”
In other words, to safely check each shortened URL that is in an email message the anti-spam server would need to follow that URL to the URL shortening service and be redirected to the real URL that it leads to. This is not a trivial amount of time and computational effort, especially for a server checking hundreds of thousands of email messages every day.
So why permit them at all?
Some email users may be using these services to share perfectly harmless URLs in messages but it is a fairly pointless exercise because:
a) It raises suspicion that the real URL is being hidden for malicious reasons; and
b) There is no character limit on email messages so no compelling reason to use shortened URLs to begin with.
Given these two points, and the risks that these services are presenting, some email administrators are simply blocking all messages containing shortened URLs. Lists of popular URL shortening services such as this one at Mashable can be found by a simple Google search.