Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Should using bit.ly get you blocked?

Should using bit.ly get you blocked?

  • Comments 1

About a month and a half ago, I wrote a post in response to another post that was written by another blogger.  His post was that if you write an email and include a bit.ly link in it, the mail won’t get through.  I countered by saying that if you were a filter that blocked these, you would generate all manner of false positives.

Since then my position has evolved somewhat (but do not send me any crow for I shall not eat it).  The big problem with URL shorteners these days is that spammers are setting them up and subsequently using them to spam.  Because there is a dearth of URL reputation lists that contain URL shortners* (other than Spamhaus’s), spammers have more success with these.  All you have to do is create your own shortening service, mask your URL with it and then send out spam.  Spam filters will be confused because the reputation lists they maintain don’t say that the URL is bad.

As someone who is responsible for receiving mail and making sure that the legitimate mail gets through to end users**, my philosophy is to error on the side of leniency.  None of us like to lose legitimate mail but sometimes we will put up with the occasional spam in our inboxes.

But not everyone will put up with spam in our inboxes.

If a spammer sends out mail from a Hotmail account that contains a phishing message (or malware link) that hides behind a redirector, and that mail goes to a high level executive, that’s a problem.  All the people who are reading this will agree that they have tolerable limits for the general population of users but executives get special treatment (a reversal of the policy wherein you design for the masses and not the special cases).  And if a bunch of spam comes in to high level executives containing content that is resistant to traditional reputation filtering, then my policy of not blocking redirectors is problematic.

“Why did this spam come to my inbox?”

“Because it’s not on an IP blocklist or a URL blocklist.”

“I don’t care!  Block it!”

“Umm… hmm…”

The problem is that taking action on these types of messages, proactively, on a network wide level will cause false positives.  However, for individual people, sometimes it makes sense to block messages with URL redirectors or at least score them heavier (most spam messages contain at least some content that makes them look partly spammy even if the filter can’t make a complete decision).

Thus, it makes sense to have an option that allows people to mark spam messages from those emails that contain short URLs.  This will be prone to false positives, but that’s the way it is.  If you want to be more secure, then you are accepting the fact that you will miss some legitimate mail as well unless you want to whitelist particular senders.

URL shortners aren’t really intended for email anyhow.  You’re not restricted by space in an email.  You can always use HTML mail and put in a hyper link so it doesn’t take up 400 characters.  On the other hand, you are restricted by space in Twitter, text messaging and Facebook status updates.  You should use short URLs there.  But email?  It’s not really necessary.

So, the situation is this:

  • Short URLs in email look nice, but there are ways to keep your email looking nice without using them.
  • You need short URLs in communication tools other than email.
  • You can block messages (or at least score more aggressively) that contain short URLs, but you will generate some false positives.
  • If that happens, you can mark the sender as a safe sender.
  • This setting should be optional; my personal recommendation is to turn it on when you need it and off when you don’t (kind of like the Fed setting interest rates very low.  Oh, wait…)

There you have it.  My position is more nuanced than it was before.


* I intentionally spelled the word “shortener” as “shortner”.

** Despite what one of my co-workers erroneously thinks, the false positive rate is measured as 1 per xx legitimate messages, not 1 per total (spam + non-spam) messages.

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • We add consider shortened URLs as indicative of spam unless from a known sender.

    The shortening services should put captcha etc. in place to prevent abuse. Most of them don't have captcha or any other spam abuse prevention mechanism and therefore are helping to hide spam. Those deserve to be blocked due to the sheer volume of spam links coming through them. Those with suitable antispam measures in place wont be blocked as they are not responsible for lots of spam.

Page 1 of 1 (1 items)