RealTime IT News

Short URLs, Big Trouble?

Is it safe to go short? Generally yes, but security firm MessageLabs says in a report this week that there are many reasons to be careful about clicking on the shorter links or forwarding them blindly to others.

To recap the issue: Anyone who Twitters knows the value of shorter URLs. Twitter famously limits posts at the popular micro-blogging site to 140 characters. So if you want to say something about a Web site and include the link that counts against the character count, it doesn't take much to exceed the limit. The result has been a boom of interest in free services like TinyURL and Bit.ly that reduce URLs to around 15-20 characters or less.

The problem is that spammers and the bad folks intent on spreading malware are using the shortened URLs to spread their unwanted wares. MessageLabs Senior antispam technologist Matt Sargent says many sites have updated lists of known bad addresses to block, but URL shortening provides a way to get around those blocks.

"Generally there's nothing wrong with using these URL shortening services, but when you see a list of sites on Twitter, for example, with the short URLs under a hot topic, a lot of those are actually spam," Sargent told InternetNews.com. "But lots of people retweet them without clicking first to see what they are so they're actually spreading spam without realizing it."

Beware the botnet

MessageLabs, a division of Symantec, has identified Donbot as one of the major culprits. Donbot is a botnet responsible for sending approximately five billion spam messages every day, according to MessageLabs. "Links of any size need to be treated with caution," said Sargent.

The security firm reports a big spike in the use of shortened URLs by spammers the last week in June. "What that indicates to us that is that the spammers have found a way to automate the process," said Sargent. "That's what an uptick like that usually means."

Sargent suggests users be careful about e-mail and only click on links in e-mail you're expecting or from people you know. Though he also cautions the latter can be a risk since e-mail identity can also be faked.

"Look at the content associated with the e-mail to try and determine if it's legitimate," he said. "And if you're really paranoid, verify by other means like a telephone call or instant message to confirm that person sent you the e-mail in question."