Prevent Phishing by Blocking URL Shortening Services

It was reported recently that popular URL shortening services are being exploited by spammers to circumvent common spam filters and trick users into following links to malicious web sites.  The explosion in popularity of these services is largely due to the growth in the number of people using Twitter, a micro-blogging service that limits users to messages of 140 characters or less.

URL shortening services allow Twitter users to share URLs with each other without concern for the length of the URL.  For example, http://www.veryinterestingwebsite.com/funny-video (49 characters long) can be shortened to http://tr.im/s74hs (a mere 18 characters long).  There is no doubting that this is convenient for services such as Twitter, but it really serves no useful purpose for normal email communication.

As Microsoft’s Terry Zink points out:

“I checked out all of these sites… and I couldn’t believe the insecurity running on them! It was unreal! All I had to do was enter in a URL, click the button and bam — I had a compressed URL ready for me to use.

There was no CAPTCHA on the site either, so all that would need to be done is have a spammer write a script to plug tons of these things in there. A spam filter could not easily key on the URL in the message to block the message since the root domain is all the same; the filter would have to travel through to the site and then extract the URL to see if it was good or not.”

In other words, to safely check each shortened URL that is in an email message the anti-spam server would need to follow that URL to the URL shortening service and be redirected to the real URL that it leads to.  This is not a trivial amount of time and computational effort, especially for a server checking hundreds of thousands of email messages every day.

So why permit them at all?

Some email users may be using these services to share perfectly harmless URLs in messages but it is a fairly pointless exercise because:

a) It raises suspicion that the real URL is being hidden for malicious reasons; and

b) There is no character limit on email messages so no compelling reason to use shortened URLs to begin with.

Given these two points, and the risks that these services are presenting, some email administrators are simply blocking all messages containing shortened URLs.  Lists of popular URL shortening services such as this one at Mashable can be found by a simple Google search.

Written by Paul Cunningham

Paul lives in Brisbane, Australia and works as a technical consultant for a national IT services provider, specialising in Microsoft Exchange Server and related messaging systems.

0 Comments

  1. Moshe Feder · August 21, 2010

    I just discovered by accident today that Verizon seems to be blocking outgoing mail containing at least some shortened URLs. (I use them in email when the original is VERY long and won’t fit on a single unbroken line.) Messages with URLs abbreviated with Metamark’s Shorten are blocked, while those from TinyURL go through. Strange, or at least inconsistent.

    What made it worse for me is that I’d just that moment tried switching my DNS server settings to OpenDNS, creating the impression that the change was the reason my outgoing mail wasn’t working. I wasted _hours_ trying to solve the wrong problem.

    I’m also a little surprised to learn that the body of my outgoing emails are scanned by my ISP!

Leave A Reply