May 24, 2011, 5:31 PM — Spammers are experimenting with a new tactic to improve their success rate: setting up their own URL-shortening sites as a way to dodge anti-spam software and avoid protections put in place by legitimate URL-shortening sites.
Doing so lets spammers mask the fact that links they send in emails ultimately lead to sites where they can try to sell pirated software, prescription drugs, pornography and the like, according to a report by Symantec.cloud.
A LOOK AT BOTNETS: The top 10 'most wanted' spam-spewing botnets
The result is that fewer spam sites are filtered out automatically by end users and URL shorteners, making it more likely that spam recipients will actually reach the websites spammers are trying to lure victims to, says Matt Sergeant, a senior anti-spam technologist with Symantec.cloud.
Evidence of these sites just popped up last month and are reported by Symantec.cloud in its May 2011 Intelligence Report.
Legitimate URL-shortening sites such as bit.ly and tinyurl have already been abused by spammers as a way to get around anti-spam software, which can recognize dubious sites and block email that contains them.
To get around that, spammers shorten their URLs at legitimate shortening sites and send the shortened versions in spam. Spam filters would have no way of knowing the actual site was bogus so would allow the spam to reach recipients' inboxes. Recipients click on the links, send requests to the URL-shortening site and the site redirects the request to the bogus site.
The legitimate URL-shortening sites know they are abused in this way and take steps to block attempts to shorten URLs of known spam-destination sites, Sergeant says.
To further anonymize spam destination sites, spammers have now set up their own URL-shortening sites. So rather than asking a legitimate site to shorten the URL of the destination site, it is asked to shorten a URL that has already been shortened. That way the legitimate site isn't being asked to shorten the URL of site that can be identified as bogus and will fulfill the request.
In a hypothetical case, a spammer might want to lure victims to www.xxxsuperdrugs.com, a URL that may be blacklisted by the legitimate URL-shortening sites. So the spammer would run www.xxxsuperdrugs.com through its own shortener first and send the resulting URL to a legitimate site to be shortened again. The latter shortened URL would be sent as a link in a spam message.
Viewed from the recipient's point of view, the link in a spam email connects to a legitimate URL shortening site, which redirects that request to the spammer's URL shortening site, which redirects to the actual destination site. Recipients just click once on the link and the rest happens automatically.
Sergeant says that so far all the spammer-run shortening sites have .ru domain names and are hosted either in Russia or Ukraine.
It's not clear whether this technique will catch on and become a routine tool for spammers. "They may experiment with it awhile and find it does or doesn't work," he says.
Read more about wide area network in Network World's Wide Area Network section.
