Slashdot Mirror
Spammers Establish Fake URL-Shortening Services
Orome1 writes "Spammers are establishing their own fake URL-shortening services to perform URL redirection, according to Symantec. This new spamming activity has contributed to this month's increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March. Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer's fake URL-shortening Web site, which in turn redirects to the spammer's own Web site."
So if you block the fake URL-shortening domain with an "ad-blocker" or at the browser level (à la Google Chrome), you avoid pretty simply the redirection to the spam side, without having to block the legitimate URL-shortening sites. Or am I missing something?
I always found url shortening to be a weird and potentially dangerous practice. Trading some comfort to squeeze your link into a tweet for the comfort to actually predict where this link will take you? No thanks. If url does not fit into a tweet, then it's a tweeter problem that tweeter should fix. That's also why I don't use tweeter. I find IRC superior :)
I've never trusted ANY of the URL shortening services. in this age of cut-and-paste, for the most part (except for twitter) *I* really don't see the need for them. (note, I said "*I* don't see any need for them...it's an opinion...don't flame me for an opinion) :-)
I've been goatse.cx-ed on Slashdot too many times, I guess!
when I see a short URL (even those short valid ones from Reddit's imgur.com), red flags go off in my brain. (yeah that hurts)
Karma: Excellent. 15 moderator points expire sometime.
You can mitigate this on TinyURL by using this.
Easy solution: Block all URL-shortening services.
So you are telling me I shouldn't trust any tweets with sp.am in them then?
Legitimate URL shorteners don't care how their service is being used.
I've had contact with tinyurl, bit.ly and a few other shorteners with regards to spam links posted on forums, and sent by email. They'll stop one or two of them, but after a while of sending them reports, they'll just get mad at you and then ignore your emails. Well excuse me for trying to reduce the spam problem.
So a redirecting service redirects to a fake redirecting service that somehow redirects but to the wrong place? And how is that useful?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
If only there were some way to reference a page on the internet in a canonical, consistent fashion. A uniform locator for a resource, if you will.
Lately, pretty much all the junk I recieve involves some poorly worded reference to some sort of sexual act, a shortened URL and a stream of random dictionary picked words (to avoid spam filters I figured...but it fails at that hard)
Yet, strangely, I check today and it's completely different. I have a mix of links: One that I have a feeling is what happens when you click a link via a yahoo search, and another that is www.(strange name).com/Iindex (with 2 'i's, beutifully done...not).
I fully agree and sit by anyone who says they do not trust any of these shorteners, aside from the TinyURL you can preview (thankfully). Sometimes, I even enjoy seeing the full addresses before I click them. You can see where in the website you are, (MASSIVELY importantly), the name and format file youre about to open. .jpg and not .js
The second you don't know what you're clicking is the second you give someone complete control of your address bar. You just better hope that file was a
I actually read TFA (well, most of it...) and it makes no sense whatsoever.
Even the shortened URL would require that somebody clicks on a link from a spam mail. Who's dumb enough to do that any more? This isn't 1996 where spam is some new thing people aren't aware of. Everyone who hasn't been living in a cave for the last decade and a half is aware enough not to visit links that a spam mail gives them!
Further, how does the presence of a shortened URL "contribute to a 2.9% increase"? The amount of spam sent is determine by how much is sent, not by the content of it.
I don't know many people who even get spam any more. Most people I know got fed up with it, made a new email, and only use it for "safe" things, and never have it online in a machine parse-able way. For registering with web forums and stuff like that you use a throw-away account and then delete it after you register. You cannot be spammed unless you allow spammers to have your address, and I for one consider that unacceptable, so I don't let them have it. It's easy to not get spammed. I haven't received a single spam in the last 10 years, and I'm blown away that spam is still considered a problem.
It's a question of what scope you care about.
Many "netizens" care about the entire internet and all of its users [to a degree]. As for myself, I don't give it much thought since, like you, I don't have a problem as my methods, manners and technologies keep me clear of such problems. But in the interests of goodness and justice, I still care about the idiots, morons and unwashed out there who simply don't [care to] know any better. The scum out there needs to be killed.
This is why I created http://unshrink.me/ To combat all these URL shorteners.
"spam never really was a serious problem"
Oh, really?
"Pharmaceutical promotions usually account for around 64% of all email spam globally – around 60bn messages a day. This fell to as low as 0.1% over the Christmas period, accounting for a comparatively tiny 70m emails. "It's a drop in the ocean compared [to previous spam levels]," said Paul Wood, a senior analyst at cyber security firm Symantec.
The volume of total email spam dropped to its lowest point in two years last month, from 200bn a day in August to around 30bn daily at the end of December.
But today that figure rebounded sharply to 70bn emails, in the first sign of a resurgence since spam levels flatlined two weeks ago."
http://www.guardian.co.uk/technology/2011/jan/10/email-spam-record-activity
But, clearly, spam "isn't a serious problem."
For those not crazy about URL shorteners: it's worth remembering that those whose jobs require creation of QR Codes for insertion in documentation and signage sometimes have to shorten URLs for these Codes. An in-house approach to this is best, IMHO, but YMMV.
Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
Can't tell if trolling or just stupid.
My gmail account (about a year old, very odd spelling, probably not randomly targeted) gets around 100 per day, 99 of them get filtered
My work email (firstinitial.lastname@) gets around 500 per day, filter manages to take out almost all of them.
Yet I am still a spam victim, and so are you.
Our corporate mail server only serves about 300 non-alias email addresses. Some of our sales people and executives get upwards of 2000 spam messages a day, and though we are able to filter fairly effectively, thus mitigating the immediate impact to our users; the cost of fighting the spam, upkeep on the filters (1 false positive is worse than 100 spam getting into the inbox) the cost of the appliances, the cost of the rack space, cooling, electricity, etc....
The secondary cost of spam is MASSIVE.
For you it causes higher prices for internet, but it also causes the entire internet to run slower. WAY slower. Because while 100 spam messages would download to me in a few seconds and take a few more seconds to delete (or less because it got filtered) the approximately 55 BILLION spam messages that are sent each day comprise 70-80% of emails sent per day.
Hell, go ahead and take it to the PER USER level on costs. Just like text messages, my phone's internet is cost per unit. A spam email uses some quantity of that unit. Thus a spammer sending me a spam email (that makes it through the filter) costs me that money directly.
Also, as has been said many times before: Spam is not passive, it's active.
IT COSTS ME MONEY EVERY TIME I GET SPAM.
My two choices are "Pay for the spam" or "Don't use any email ever".
If I gave you the choice of paying me 5 pence every time I call you (even if you don't answer) or never again using any form of electronic voice communication (so as to catch any type of VoIP) you'd want me charged with extortion.
tl;dr -
spam uses data -> you pay for data used -> you're a spam victim.
spam costs me money against my will, without being a government agency (they take my money all the damn time) = THEFT
Including one that I own and when they're in a good mood, they attempt to make shortened URLs as quickly as our servers can handle them, often many thousands per day.
Thankfully, due to the sterling efforts of many of the URL blacklisting services out there, these are purged on the hour, on the day, on the week and on the month automatically, so often don't last that long.
However, if legitimate people start to use the URL shortening services that the spammers provide, it'll hardly be in their interests to remove the spammy redirects.
Who cares?
Parents! Teenagers are really bad at distinguishing between real and fake. They just click on anything that pops up to make it go away, and they click e-mail links because they look interesting.
Also, computer illiterates, especially older people. My brother-in-law bought something called "Win Anti-Virus" because he got spam telling him that his anti-virus software was out of date. He didn't realize that it wasn't "Norton" Anti-Virus, and that "Win Anti-Virus" is actually a scam.
If you look at spam victims as idiots who deserve to be taken, then I see your point. But if they are people you care about, things look a little different.
We have mitigated this where I work by setting up a dedicated domain that does nothing but redirect short URLs created by library staff and faculty. The base domain of the shortened URL is something we have under our control, so a user who sees one of these shortened URLs knows that it's going to go some place that a professor or a librarian has set up. We maintain this through our staff website, with a Drupal CCK that just has two fields - the short URL and the FQDN of the destination page. It seems to be working out well.
The added bonus is that our short URLs are still meaningful, since a prof or a librarian can pick what they want the short URL to be. We limit them to 6 characters, but it's usually some variation on the resulting page. A few URL shortening services let you pick your preferred URL but most of the good ones are gone now. Plus, we can expire them when they are no longer relevant.
I actually enjoy receiving spam and replying to it so why block the url shorteners?
If the link is shorter, then I wouldn't call it a fake URL shortener. I think I more sane explanation of what is going on there is that spammers are using redirectors to avoid detection by users and URL-shortening services.
Nothing to see here.
Thousands of unsolicited messages a day can rapidly take a mailbox over quota, so filtering on the client isn't a sane choice. Not to mention the difficulty filtering backscatter -- thousands of messages an hour because some spammer forged your address! Filtering on the server can create its own problems with false positives and storage quotas -- it's easier to reject known bad senders at smtp time. The follow on problem is the number of smtp connections, the spammers don't take no(in the smtp 5xx sense) for an answer -- especially since the advent of greylisting. The problems are real.
Thus spake the fuckwit that obviously has no experience with administering email servers? Yes, I've been trolled.
I've found people no longer trust short URLs. But give them a long, impressive authoritarian-sounding URL and they assume it must be part of some corporate datacenter they can feel safe doing business with. Right now there are a couple, like Johannes longurl. It works, but doesn't fill the URL with impressive sounding words. What we need is something tied to a thesaurus lookup with all manner of impressive sounding terms meant to subliminally make the person think they are safe. e.g., reallybigcorporationofamerica.com/htppsss/accounting/security/firewall/lockdown/secureurltoken.shtml&verifiedid=320498982342394ab098f&checksum=0342f&etcetcetc
"Waste not one watt!" - CZ
Something like shadyurl.com? This has always been one of my favorite URL "shorteners".
I always wondered what if a not so scrupulous person set up a url shortening service that operated legitimately for a while getting itself spread all over the web. Then one day they change it so that all the urls now point to a frame with the target site surrounded by ads. It would be mostly too late to stop it, and the terms could be along the lines of "we reserve the right to do anything we want with shortened urls".
It drives me mad when I see URL shorteners used in places that do not have a space limitation. Like on a regular website. I get the point of using it on twitter or txt messages, but on a blog or website? Ug. It's killing the web.
Why are spammers so insistent on getting people who obviously are not interested in what they are selling to look at their wares? Are there people who then go "Oooohhh, shiny! I must buy, I must buy"?!? Isn't the point really to get sales? I guess there are people like that and as long as there is, there will be spammers.
why are we not prosecuting the advertisers themselves for fraud? who the hell gives these people money to make this multi-headed, nested box, country jumping, spam monster?
Doesn't it boil down to one end getting spam, and the other end getting money? If there is a way for money to transfer to that end, then there should be a way for people to find that end, and then charge them five times whatever money they made in fines.
Stop hitting HOW they spam, and start hurting WHY.
We heard you like short URLs, so we put a shot URL inside of your short URL so your URL can be shortened while it is shortened.
Thus spake the fuckwit that obviously has no experience with administering email servers? Yes, I've been trolled.
My intention was really not to troll. Look, it's clear that mail server admins, especially the whiny ones (hehehe), don't like spam. I didn't say I like spam either, I said it never was a serious problem and I still haven't seen any argument against this point of view.
Quite honestly, I have never met a 'victim' of spam in real life or on the Net, not a single time. I'm on the Net for more than 15 years now and nobody I have ever met had a genuine problem with his inbox or bandwidth because of spam. I don't deny that there occasionally are extreme cases but as far as I can see these are fairly rare. Moreover, the bandwidth argument someone else mentioned doesn't count at all, because the total amount of email traffic on the Net is fairly small in comparison to the total amount of other traffic, most notably porn streaming and bittorrent.
So at the risk of being modded a troll I continue to submit that spam is one of the smallest problems on the Net and has been vastly exaggerated, but anti-spam advocates have caused lawmakers to produce ridiculously severe and injust penalties for spammers in some countries (e.g. the US).
The real problem, on the other hand, is barely addressed at all: the extreme commercialization of the Internet that started in the 90ies with all its negative side effects. If there was a similar network where commercial entities/for profit sites would be strictly prohibited I'd be among the first to sign up.
Dont click on links in emails from people you dont know. This doesnt change because they shortened the url. they still are selling the same stuff,penis pills and so on. So the "from" will be fake as always,and the same unreadable subject lines.
Jack of all trades,master of none
I've seen businesses that rely on email effectively halted due to joe-jobbing/backscatter. That is as much due to misconfigured servers as spam, but it is nonetheless a real world problem that you refuse to recognise for whatever reason. joe-job spam only gets 17.4 million results in google, so I can see how you don't think it's a real issue.
Sorry, you're either trolling or more stupid than the "spam victims" you denigrated.
With a URL like "my.tv/fjdhj454jhj45/", you have NO idea where you're being sent. If you click on it, as far as I'm concerned, you deserve what you get. The whole idea of URL shorteners has always been a (further) invitation to trouble. So is allowing redirection. So is hiding the URL bar. These are ideas that offer utility if used responsibly, but open the gates of doom as soon as anyone with evil intent takes advantage of them. And the fact is, the web is rife with folk of evil intent.
When I see a shortened URL, I just skip it.
I've fallen off your lawn, and I can't get up.
But, shortened URLs get expanded in the end. So, even if they send you to a fake site, the URL of that fake site will then be apparent. If you're reading an article with a shortened link to some article you think should be at yahoo.com and you end up at yarha.com, then you'll realize you've been improperly redirected. It is a problem if you aren't paying attention, but otherwise, not too big a deal IMO. (Just make sure you have all the 'auto-' anything turned off for your browser so the redirect can't link to something which will download and expand, install, run, etc.). But, that is like security 101 anyway. Someone could put a link on any website that sends you somewhere you don't think it will if you aren't paying attention as well... that has been going on for years! Nothing new, just a slightly different form of it.
It is more a problem with things like Twitter, though I agree, same rule applies... just harder to implement there. My advice, use a good browser, properly setup, on a good OS... then even clicking a bad link isn't a problem for the most part so long as you have a bit of common sense.
I've seen businesses that rely on email effectively halted due to joe-jobbing [...] That is as much due to misconfigured servers as spam,
Yet, if you configure the servers correctly such problems cannot occur. Am I supposed to pitty businesses that cannot configure correctly the technologies they rely on? As I said, the only victims of spammers seem to be idiots who would be victims of someone else otherwise...
Sorry, you're either trolling or more stupid than the "spam victims" you denigrated.
Clearly, you represent the voice of reason here, as indicated by posting anonymously and enriching your arguments with words like "fuckwit", "troll", and "stupid."
It depends on the service owners - do I personally trust them or not? For example the German Press Agency (Deutsche Presse Agentur - dpa) has its own service only for their own use (About the dpa 'dpaq' servie http://dpaq.de/ueber_dpaq.html [german only]). there are also several other short url services I trust, e.g. made by IT magazines, where you can be sure they will also exist some years long. (Well, I also trust my own service buts thats not yours ;-)).
And by the way - if using the right system (*cough-nix-hrm*) and the right browser (*argh-opera-ahem*)- what do you fear about?
According to dpa, Wikimedia lists 500 short URL services on their blacklist (https://secure.wikimedia.org/wikipedia/meta/wiki/Spam_blacklist) - just add them to your persoanl proxys blacklist maybe? Or just use bfilter (http://bfilter.sourceforge.net/)? (Well, you migh want to add a 'NOFILTER *ebay*' to your urls.local for latter if you want to see the full description at your (un)favourite flee market...)
Anyway, no use to frown because of some spammers again, just use these short links in your PMs, no one will (or shall) click/read them after some time or if they don't know you...
I lag
That is in the single case of backscatter where you're relying on 3rd parties to correctly configure their servers. The number of simultaneous connections to MTAs from botnets can be problematic, as can exhaustion of quotas and storage space. The sheer volume of spam creates issues with bandwidth and software. At one of my clients, the monday morning email pull crippled both the network and the desktops until I installed an on-site mail server with filtering and reject rules.
If you don't experience any problems with email, it is because of the hard work of mail system administrators. For you to claim that spam is not a problem, despite ample evidence to the contrary is not a tenable or reasonable position. The cost to businesses of dealing with spam is ultimately passed onto customers, I can assure you that we are all "spam victims".
Thou doth protest too much; it is you who labelled "spam victims" stupid in your initial comment. Could it be that the words with which I enriched my argument were accurate? I think it is, you sir are a troll and I'm done wasting my time with you!
Don't just shorten your URL, make it suspicious and frightening.
http://5z8.info/white-power-rides-upon-stallions-unstoppable_p1i3zc_PIN-phisher