Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Establish Fake URL-Shortening Services

timothy posted more than 3 years ago | from the services-seems-a-strong-word dept.

Spam 99

Orome1 writes "Spammers are establishing their own fake URL-shortening services to perform URL redirection, according to Symantec. This new spamming activity has contributed to this month's increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March. Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer's fake URL-shortening Web site, which in turn redirects to the spammer's own Web site."

cancel ×

99 comments

Good news, no? (4, Interesting)

greichert (464285) | more than 3 years ago | (#36237672)

So if you block the fake URL-shortening domain with an "ad-blocker" or at the browser level (à la Google Chrome), you avoid pretty simply the redirection to the spam side, without having to block the legitimate URL-shortening sites. Or am I missing something?

Re:Good news, no? (3, Informative)

WrongSizeGlass (838941) | more than 3 years ago | (#36237728)

Or am I missing something?

What we're all missing is the list of these fake URL-shortening sites. Neither the article or the full PDF listed them.

Re:Good news, no? (1)

IAmGarethAdams (990037) | more than 3 years ago | (#36237756)

There's no point listing them. It's trivial to set up a new alias so there would never be an up-to-date exhaustive list.

The only solution is to follow the trail of redirects until you reach a real site, and look at that URL. Even then, there are ways to mask that if the spammers really want to.

Re:Good news, no? (1)

smelch (1988698) | more than 3 years ago | (#36237850)

Are there any plugins to auto-expand the shortened URLs?

Re:Good news, no? (0)

Anonymous Coward | more than 3 years ago | (#36237942)

Xpnd.it! short URL expander - IMHO the best one, but unfortunately, not (yet?) available for FF4.
FF3: https://addons.mozilla.org/en-US/firefox/addon/xpndit-short-url-expander/

FF4: https://addons.mozilla.org/en-US/firefox/addon/long-url-please/

Re:Good news, no? (-1)

Anonymous Coward | more than 3 years ago | (#36237990)

It's 2011 and I still use FireFox.

Just don't follow shortened links (1)

fyngyrz (762201) | more than 3 years ago | (#36240258)

With a URL like "my.tv/fjdhj454jhj45/", you have NO idea where you're being sent. If you click on it, as far as I'm concerned, you deserve what you get. The whole idea of URL shorteners has always been a (further) invitation to trouble. So is allowing redirection. So is hiding the URL bar. These are ideas that offer utility if used responsibly, but open the gates of doom as soon as anyone with evil intent takes advantage of them. And the fact is, the web is rife with folk of evil intent.

When I see a shortened URL, I just skip it.

Re:Good news, no? (1)

cyborch (524661) | more than 3 years ago | (#36239442)

Several. Google for "URL expander".

Re:Good news, no? (1)

Stewie241 (1035724) | more than 3 years ago | (#36238140)

In the meantime, you confirm to the spammer that you actually read the email by following their (presumably) unique link and they start sending more emails.

It was to be expcted (4, Interesting)

Pegasus (13291) | more than 3 years ago | (#36237674)

I always found url shortening to be a weird and potentially dangerous practice. Trading some comfort to squeeze your link into a tweet for the comfort to actually predict where this link will take you? No thanks. If url does not fit into a tweet, then it's a tweeter problem that tweeter should fix. That's also why I don't use tweeter. I find IRC superior :)

Re:It was to be expcted (4, Interesting)

erikdalen (99500) | more than 3 years ago | (#36237702)

I've seen URL shortening used in print magazines for quite a long time as well though. Where it makes sense as you have to type the URL by hand to visit it. So Twitter isn't the only use case.

Re:It was to be expcted (1)

xded (1046894) | more than 3 years ago | (#36240378)

Exactly. And they should setup their own service.

So the URL will be something like hxxp://link.nyt.com/Ax91. With the added benefit of shorter codes (due to the limited number of users), special codes all for themselves (e.g., hxxp://link.nyt.com/nfl) and in-house stats collection/DB control.

The user instead will be sure there is some editor taking responsibility for the occasional goatse redirect, which may be removed/updated in a centralized manner at a later time.

If the magazine cannot manage to setup something like this, they should not even start using public tinyurlers...

Re:It was to be expcted (1)

PwnzerDragoon (2014464) | more than 3 years ago | (#36241876)

PCWorld does this (or did, it's been a while since I've read it). Most URLs in their magazine are in the form find.pcworld.com/XXXXX, where the XXXXX is a series of numbers and the link redirects you to the right page.

Re:It was to be expcted (1)

erikdalen (99500) | more than 3 years ago | (#36247914)

Yup, I can only agree to that. Unfortunately the world doesn't always follow my opinions :)

Re:It was to be expcted (1)

cthulhu11 (842924) | more than 3 years ago | (#36247312)

My understanding is that the practice started due to MUA's wrapping lines.

Re:It was to be expcted (2)

stonewallred (1465497) | more than 3 years ago | (#36237712)

It is 2011, who clicks on blind links in emails from people you don't know, or do know for that matter?

There are 4 people who can send me an email with a link that I will click without at least googling it first.

3 of them are IT professionals for major corporations, and the other is a security nut.

Re:It was to be expcted (4, Insightful)

kyrio (1091003) | more than 3 years ago | (#36238006)

The problem is that nearly every computer user clicks on random links. The people who actually know how to use a computer are a very small amount of the total computer users.

Re:It was to be expcted (1)

tlhIngan (30335) | more than 3 years ago | (#36239546)

Are these the same users that we complained about earlier who don't dare click randomly [slashdot.org] on the screen for fear of breaking something?

Hard to squirrel away the two - they're bold enough to click random links on emails, but not bold enough to click on various buttons in programs...

Re:It was to be expcted (1)

Fjandr (66656) | more than 3 years ago | (#36240254)

No, it's not hard to believe both of these behaviours can occur with the same user. It's not hard to believe in the slightest.

Re:It was to be expcted (-1)

Anonymous Coward | more than 3 years ago | (#36238206)

Wow, you don't have many friends, do you?

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36238524)

In 2011, who is afraid of clicking on links? What exactly is going to happen besides being shown some spam? If you're afraid of clicking on a link, why? You are using products that offer a modicum of security I hope.

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36238660)

It is 2011, who clicks on blind links in emails from people you don't know, or do know for that matter?

There are 4 people who can send me an email with a link that I will click without at least googling it first.

3 of them are IT professionals for major corporations, and the other is a security nut.

You'll catch it from the security nut one day. Just my two cents. Bee Karefull

Re:It was to be expcted (1)

Lumpy (12016) | more than 3 years ago | (#36239062)

Almost every single person that works here....

OHHH SHINY CLICK IT CLICK IT!

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36242270)

It is 2011. Why do we even need shortened URLs?

Re:It was to be expcted (1)

bemymonkey (1244086) | more than 3 years ago | (#36237716)

But I need to receive links on my old-ass phone that apparently can't deal with messages longer than 140 characters and therefore probably doesn't even have a browser or 3G or anything that would make receiving a link useful in any way! Don't take away my links!!!

Re:It was to be expcted (2)

jez9999 (618189) | more than 3 years ago | (#36237742)

What is tweeter?

Re:It was to be expcted (3, Funny)

Anonymous Coward | more than 3 years ago | (#36237858)

The opposite of a woofer. Or if you remember Beavis and Butthead... it's the name for the genitalia of a praying mantis. :)

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36237894)

I took the best of both worlds. I made a domain name that was much shorter than our original, but still keeps the brand, sort of, and then redirects to our full blown site. I control the shortening service, clients get easy urls. I set up forwarding for emails too, so it's easier to say on the phone.

Apache mod_rewrite allows you to make a shorting service very easily. Also trivial with PHP, or any scripting language, for that matter.

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36238012)

I think on most services, you can configure it, so that it always shows you where it really redirects, and lets you click the link yourself. It remembers that in a cookie. Just don't go to URL shorteners that don't allow to be configured like this, and you're good.

What I think is a bigger problem with such services, is that after a certain amount of time, the shortened URLs time out, and get deleted, leaving a entirely broken web, that, e.g. when archived, becomes a meaningless pool of unlinked pages.

Re:It was to be expcted (0)

Anonymous Coward | more than 3 years ago | (#36238234)

I always found url shortening to be a weird and potentially dangerous practice. Trading some comfort to squeeze your link into a tweet for the comfort to actually predict where this link will take you? No thanks. If url does not fit into a tweet, then it's a tweeter problem that tweeter should fix. That's also why I don't use tweeter. I find IRC superior :)

If you call it "tweeter" you can pretty much just shut up.

Re:It was to be expcted (2)

Mr_Silver (213637) | more than 3 years ago | (#36238724)

I always found url shortening to be a weird and potentially dangerous practice. Trading some comfort to squeeze your link into a tweet for the comfort to actually predict where this link will take you?

To be fair, it's not just Twitters fault.

It's also the fault of websites who come up with insane 350 character URLs and email clients that attempt to word-wrap the aforementioned 350 character URL and manage to make the hyperlink unclickable.

Oh and Slashdot coders who include the number of characters in between < and > as part of the overall word count for your signature.

ShortUrls are useful if you know (or WOT) owners (1)

stiebing.ja (836551) | more than 3 years ago | (#36241954)

It depends on the service owners - do I personally trust them or not? For example the German Press Agency (Deutsche Presse Agentur - dpa) has its own service only for their own use (About the dpa 'dpaq' servie http://dpaq.de/ueber_dpaq.html [german only]). there are also several other short url services I trust, e.g. made by IT magazines, where you can be sure they will also exist some years long. (Well, I also trust my own service buts thats not yours ;-)).

And by the way - if using the right system (*cough-nix-hrm*) and the right browser (*argh-opera-ahem*)- what do you fear about?
According to dpa, Wikimedia lists 500 short URL services on their blacklist (https://secure.wikimedia.org/wikipedia/meta/wiki/Spam_blacklist) - just add them to your persoanl proxys blacklist maybe? Or just use bfilter (http://bfilter.sourceforge.net/)? (Well, you migh want to add a 'NOFILTER *ebay*' to your urls.local for latter if you want to see the full description at your (un)favourite flee market...)

Anyway, no use to frown because of some spammers again, just use these short links in your PMs, no one will (or shall) click/read them after some time or if they don't know you...

Re:It was to be expcted (1)

hydrofix (1253498) | more than 3 years ago | (#36242428)

Many IRC users also uses URL shortening. Try pasting a dynamically generated content URL containing eg. coordinates and some other random URL arguments. These can easily get longer than say, double the 80-column terminal width. Therefore, for readability's sake, many IRC users shorten long URLs before pasting them (maybe with a small hint of what will be in the link)

jews did it (-1)

Anonymous Coward | more than 3 years ago | (#36237678)

secret jews

call me overly paranoid, but... (4, Insightful)

thomasdz (178114) | more than 3 years ago | (#36237680)

I've never trusted ANY of the URL shortening services. in this age of cut-and-paste, for the most part (except for twitter) *I* really don't see the need for them. (note, I said "*I* don't see any need for them...it's an opinion...don't flame me for an opinion)
I've been goatse.cx-ed on Slashdot too many times, I guess! :-)
when I see a short URL (even those short valid ones from Reddit's imgur.com), red flags go off in my brain. (yeah that hurts)

Re:call me overly paranoid, but... (0)

Anonymous Coward | more than 3 years ago | (#36238154)

I don't trust them either, that's why I wrote my own. My usage is simply so that I can format plain text emails in pine/alpine and not have URL's wrap unpredicatably due to flowed-text and broken clients (my opinion is that this is valid).

Ideally, URL's wouldn't exceed 70 characters to begin with. The problems are overly verbose URI parameters (mostly poor engineering) and googles weighting in searches -- giving way to "http://searchengineoptimizationspammers.com/seo-articles/how-to-be-a-seo-whore-and-artifically-inflate-your-worthless-content-in-google-search-results.html" rather than "http://seospammers.com/search-spamming.html".

Re:call me overly paranoid, but... (1)

greed (112493) | more than 3 years ago | (#36238538)

Alternately, clients could properly re-assemble a URL by dropping whitespace between < and >. That does mean you'd have to use <http://www.google.com> in plain text, but that's actually (one way) recommended in appendix C of RFC 3986. (RFC 1738 recommended <URL: and > as delimiters, that never caught on.)

And hey, look at that, RFC 1738 and 3986 already includes information on re-assembling a URL that has had whitespace (including newline) injected by formatting.

Which means the fact that this doesn't work in general is just sad.

(Though that thing Exchange does to "text/plain" e-mail to create a "text/html" version is just obscene. It completely re-writes the plain-text part, in addition to synthesizing HTML.)

Re:call me overly paranoid, but... (0)

Anonymous Coward | more than 3 years ago | (#36240508)

Which means the fact that this doesn't work in general is just sad.

True but if using short URL's is valid for twitter and print, a hundred lines of php on my webserver is a small price to pay to spare my eyes from long URL's wrapping in my client. I should think my email recipients trust me enough not to goatse them and it's far easier than having to resend links should some obscure webmail gateway break them.

In an ideal world, all canonical URL's would be short form.

Re:call me overly paranoid, but... (0)

Anonymous Coward | more than 3 years ago | (#36240758)

In addition to the article, I'm amazed we haven't seen URL shorteners that just wrap whatever page you're on with some javascript (or load it and send it to you, basically a MitM) and log everything you enter as you continue browsing the internet. Especially now that url bars are being hidden, they could wrap the page with their own imitation url bar (a la Google Translate) and most users would never even be aware they're being tracked. It could stay up for weeks, with the tendency for browsers to save browsing sessions.

Looks like I've got some work to do, there are probably (dirty) millions to be made.

Re:call me overly paranoid, but... (0)

Anonymous Coward | more than 3 years ago | (#36242178)

I've never trusted ANY of the URL shortening services. in this age of cut-and-paste, for the most part (except for twitter) *I* really don't see the need for them. (note, I said "*I* don't see any need for them...it's an opinion...don't flame me for an opinion)
I've been goatse.cx-ed on Slashdot too many times, I guess! :-)
when I see a short URL (even those short valid ones from Reddit's imgur.com), red flags go off in my brain. (yeah that hurts)

Some of them might offer options like click-counting. Even that doesn't seem to be useful for personal stuff, and is probably just for vanity.

TinyURL (5, Informative)

The MAZZTer (911996) | more than 3 years ago | (#36237694)

You can mitigate this on TinyURL by using this [tinyurl.com] .

Re:TinyURL (3, Insightful)

freedumb2000 (966222) | more than 3 years ago | (#36237714)

That should really be the default setting.

Re:TinyURL (2)

dmomo (256005) | more than 3 years ago | (#36239100)

Should be, but it just doesn't go over well. I tried that with SoCuteUrl and got a number of emails asking to change it back. I do allow users to set a cookie so that they always go to preview first, but most people don't know it exists.

One additional benefit this practice could have, though, is to make it harder for people to use the service for SEO, since it would not resolve to the spammy page.

Re:TinyURL (1)

complete loony (663508) | more than 3 years ago | (#36237836)

There's a fair number of firefox addons that help you shorten urls. Are there any that show you where short urls redirect to?

Re:TinyURL (1)

smelch (1988698) | more than 3 years ago | (#36237864)

That is what I would like to know. I've never written a browser plugin, but that would be a pretty easy one to start on if there aren't already some good ones out there.

Re:TinyURL (1)

lavagolemking (1352431) | more than 3 years ago | (#36238142)

Request Policy [mozilla.org] prompts you before each redirect that isn't on the same website. I don't know any way to turn it off or whitelist it, if you're looking for that, but it's probably your best bet.

Re:TinyURL (0)

Anonymous Coward | more than 3 years ago | (#36238704)

There is a GreaseMonkey script called TinyURL Decoder that un-shortens URLs: http://userscripts.org/scripts/show/40582

Re:TinyURL (1)

aujus3 (2119090) | more than 3 years ago | (#36237846)

I don't use TinyURL since a class project last Fall wherein the prof tried using TinyURL to link to assigned sites; the links, nearly a dozen of them, broke almost immediately and he had to waste time figuring out a workaround. Partly his fault for wanting to use short URLs when he didn't really need to, but also partly TinyURL's fault for breaking. For the record, it's really rare that I find a need to shorten a URL (I don't use Twitter either - http://www.youtube.com/watch?v=KagkNFYJvuY&feature=related [youtube.com] ). Maybe it was a fluke, but it left a bad taste in my mouth nonetheless.

Re:TinyURL (1)

bhtooefr (649901) | more than 3 years ago | (#36237980)

By the way, YouTube URLs can be shortened easily, without using an untrusted shortener...

http://youtu.be/KagkNFYJvuY [youtu.be]

And Google does own the domain.

Re:TinyURL (1)

J_Darnley (918721) | more than 3 years ago | (#36238816)

Why not just use the 11 characters of the URL that identify the video?

Re:TinyURL (1)

bhtooefr (649901) | more than 3 years ago | (#36243070)

Because copying and pasting is a pain in the ass when you can have a clickable link instead.

Especially when you're on a phone.

Didn't click - TinyURL (-1)

JSBiff (87824) | more than 3 years ago | (#36237890)

Well, I'm interested in what you had to say but I didn't click because it leads to a TinyURL, and god knows where that'll take me.

Block (0)

Anonymous Coward | more than 3 years ago | (#36237696)

Easy solution: Block all URL-shortening services.

Re:Block (1)

Ungrounded Lightning (62228) | more than 3 years ago | (#36239588)

Easy solution: Block all URL-shortening services.

Which breaks a lot of web traversal.

That's also why just blocking the bogus URL shortening services is also not as easy a solution as it sounds: Apparently these services were up for a while, gaining legitimate users and an air of legitimacy, before the spammers began using them for malware.

How do you know (0)

Anonymous Coward | more than 3 years ago | (#36237708)

So you are telling me I shouldn't trust any tweets with sp.am in them then?

Re:How do you know (1)

maxwell demon (590494) | more than 3 years ago | (#36237856)

So you are telling me I shouldn't trust any tweets with sp.am in them then?

Actually, the really dangerous links go to ev.il :-)

One major problem... (0)

Anonymous Coward | more than 3 years ago | (#36237794)

Legitimate URL shorteners don't care how their service is being used.

I've had contact with tinyurl, bit.ly and a few other shorteners with regards to spam links posted on forums, and sent by email. They'll stop one or two of them, but after a while of sending them reports, they'll just get mad at you and then ignore your emails. Well excuse me for trying to reduce the spam problem.

Sorry, I can't follow (1)

Errol backfiring (1280012) | more than 3 years ago | (#36237796)

So a redirecting service redirects to a fake redirecting service that somehow redirects but to the wrong place? And how is that useful?

Re:Sorry, I can't follow (1)

Dachannien (617929) | more than 3 years ago | (#36239724)

That's so when the good folks at TinyURL (or wherever) go to check the destination of the link, the spammers can instead display a clean article somewhere. But when anyone else visits, they get the malware version.

Who cares about spammers (-1, Troll)

aaaaaaargh! (1150173) | more than 3 years ago | (#36237834)

I'm getting around 50 messages of spam daily and all of them are filtered out by my spam filter. Sometimes when I'm bored I even read the spam for entertainment. To cut a long story short, I have yet to meet a person for whom spam has ever been a real problem. Do you know any 'spam victim' personally? If so, what was the problem? The spam or that person's own stupidity? Sure people get ripped off by spammers, but if there was no spam at all these people would just loose their money and get ripped off legally, by buying stupid shit they don't need, by legal online poker, etc.

IMHO anti-spam propaganda has been invented by self-proclaimed internet vigilantes in the good old Usenet days and spam never really was a serious problem -- at least not as much of a problem as those caused by the fascist laws against spammers that have been invented in some countries. My 2 cents.

(I don't deny that viruses and trojans are a problem, though. But that's another matter.)

Re:Who cares about spammers (2)

erroneus (253617) | more than 3 years ago | (#36237996)

It's a question of what scope you care about.

Many "netizens" care about the entire internet and all of its users [to a degree]. As for myself, I don't give it much thought since, like you, I don't have a problem as my methods, manners and technologies keep me clear of such problems. But in the interests of goodness and justice, I still care about the idiots, morons and unwashed out there who simply don't [care to] know any better. The scum out there needs to be killed.

Re:Who cares about spammers (0)

Anonymous Coward | more than 3 years ago | (#36238072)

"spam never really was a serious problem"

Oh, really?

"Pharmaceutical promotions usually account for around 64% of all email spam globally – around 60bn messages a day. This fell to as low as 0.1% over the Christmas period, accounting for a comparatively tiny 70m emails. "It's a drop in the ocean compared [to previous spam levels]," said Paul Wood, a senior analyst at cyber security firm Symantec.

The volume of total email spam dropped to its lowest point in two years last month, from 200bn a day in August to around 30bn daily at the end of December.

But today that figure rebounded sharply to 70bn emails, in the first sign of a resurgence since spam levels flatlined two weeks ago."
http://www.guardian.co.uk/technology/2011/jan/10/email-spam-record-activity

But, clearly, spam "isn't a serious problem."

Re:Who cares about spammers (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36238136)

Can't tell if trolling or just stupid.

My gmail account (about a year old, very odd spelling, probably not randomly targeted) gets around 100 per day, 99 of them get filtered

My work email (firstinitial.lastname@) gets around 500 per day, filter manages to take out almost all of them.

Yet I am still a spam victim, and so are you.
Our corporate mail server only serves about 300 non-alias email addresses. Some of our sales people and executives get upwards of 2000 spam messages a day, and though we are able to filter fairly effectively, thus mitigating the immediate impact to our users; the cost of fighting the spam, upkeep on the filters (1 false positive is worse than 100 spam getting into the inbox) the cost of the appliances, the cost of the rack space, cooling, electricity, etc....

The secondary cost of spam is MASSIVE.
For you it causes higher prices for internet, but it also causes the entire internet to run slower. WAY slower. Because while 100 spam messages would download to me in a few seconds and take a few more seconds to delete (or less because it got filtered) the approximately 55 BILLION spam messages that are sent each day comprise 70-80% of emails sent per day.

Hell, go ahead and take it to the PER USER level on costs. Just like text messages, my phone's internet is cost per unit. A spam email uses some quantity of that unit. Thus a spammer sending me a spam email (that makes it through the filter) costs me that money directly.

Also, as has been said many times before: Spam is not passive, it's active.
IT COSTS ME MONEY EVERY TIME I GET SPAM.

My two choices are "Pay for the spam" or "Don't use any email ever".
If I gave you the choice of paying me 5 pence every time I call you (even if you don't answer) or never again using any form of electronic voice communication (so as to catch any type of VoIP) you'd want me charged with extortion.

tl;dr -
spam uses data -> you pay for data used -> you're a spam victim.
spam costs me money against my will, without being a government agency (they take my money all the damn time) = THEFT

Re:Who cares about spammers (2)

Tony Isaac (1301187) | more than 3 years ago | (#36238216)

Who cares?

Parents! Teenagers are really bad at distinguishing between real and fake. They just click on anything that pops up to make it go away, and they click e-mail links because they look interesting.

Also, computer illiterates, especially older people. My brother-in-law bought something called "Win Anti-Virus" because he got spam telling him that his anti-virus software was out of date. He didn't realize that it wasn't "Norton" Anti-Virus, and that "Win Anti-Virus" is actually a scam.

If you look at spam victims as idiots who deserve to be taken, then I see your point. But if they are people you care about, things look a little different.

Re:Who cares about spammers (0)

Anonymous Coward | more than 3 years ago | (#36238442)

I'm getting around 50 messages of spam daily and all of them are filtered out by my spam filter. [...] To cut a long story short, I have yet to meet a person for whom spam has ever been a real problem. Do you know any 'spam victim' personally? If so, what was the problem? The spam or that person's own stupidity?

Thousands of unsolicited messages a day can rapidly take a mailbox over quota, so filtering on the client isn't a sane choice. Not to mention the difficulty filtering backscatter -- thousands of messages an hour because some spammer forged your address! Filtering on the server can create its own problems with false positives and storage quotas -- it's easier to reject known bad senders at smtp time. The follow on problem is the number of smtp connections, the spammers don't take no(in the smtp 5xx sense) for an answer -- especially since the advent of greylisting. The problems are real.

IMHO anti-spam propaganda has been invented by self-proclaimed internet vigilantes in the good old Usenet days and spam never really was a serious problem -- at least not as much of a problem as those caused by the fascist laws against spammers that have been invented in some countries. My 2 cents.

Thus spake the fuckwit that obviously has no experience with administering email servers? Yes, I've been trolled.

Re:Who cares about spammers (1)

aaaaaaargh! (1150173) | more than 3 years ago | (#36239190)

Thus spake the fuckwit that obviously has no experience with administering email servers? Yes, I've been trolled.

My intention was really not to troll. Look, it's clear that mail server admins, especially the whiny ones (hehehe), don't like spam. I didn't say I like spam either, I said it never was a serious problem and I still haven't seen any argument against this point of view.

Quite honestly, I have never met a 'victim' of spam in real life or on the Net, not a single time. I'm on the Net for more than 15 years now and nobody I have ever met had a genuine problem with his inbox or bandwidth because of spam. I don't deny that there occasionally are extreme cases but as far as I can see these are fairly rare. Moreover, the bandwidth argument someone else mentioned doesn't count at all, because the total amount of email traffic on the Net is fairly small in comparison to the total amount of other traffic, most notably porn streaming and bittorrent.

So at the risk of being modded a troll I continue to submit that spam is one of the smallest problems on the Net and has been vastly exaggerated, but anti-spam advocates have caused lawmakers to produce ridiculously severe and injust penalties for spammers in some countries (e.g. the US).

The real problem, on the other hand, is barely addressed at all: the extreme commercialization of the Internet that started in the 90ies with all its negative side effects. If there was a similar network where commercial entities/for profit sites would be strictly prohibited I'd be among the first to sign up.

Re:Who cares about spammers (0)

Anonymous Coward | more than 3 years ago | (#36239984)

Quite honestly, I have never met a 'victim' of spam in real life or on the Net, not a single time. I'm on the Net for more than 15 years now and nobody I have ever met had a genuine problem with his inbox or bandwidth because of spam. I don't deny that there occasionally are extreme cases but as far as I can see these are fairly rare.

I've seen businesses that rely on email effectively halted due to joe-jobbing/backscatter. [techzoom.net] That is as much due to misconfigured servers as spam, but it is nonetheless a real world problem [taint.org] that you refuse to recognise for whatever reason. joe-job spam [google.com] only gets 17.4 million results in google, so I can see how you don't think it's a real issue.

Sorry, you're either trolling or more stupid than the "spam victims" you denigrated.

Re:Who cares about spammers (1)

aaaaaaargh! (1150173) | more than 3 years ago | (#36241820)

I've seen businesses that rely on email effectively halted due to joe-jobbing [...] That is as much due to misconfigured servers as spam,

Yet, if you configure the servers correctly such problems cannot occur. Am I supposed to pitty businesses that cannot configure correctly the technologies they rely on? As I said, the only victims of spammers seem to be idiots who would be victims of someone else otherwise...

Sorry, you're either trolling or more stupid than the "spam victims" you denigrated.

Clearly, you represent the voice of reason here, as indicated by posting anonymously and enriching your arguments with words like "fuckwit", "troll", and "stupid."

Re:Who cares about spammers (0)

Anonymous Coward | more than 3 years ago | (#36242450)

Yet, if you configure the servers correctly such problems cannot occur.

That is in the single case of backscatter where you're relying on 3rd parties to correctly configure their servers. The number of simultaneous connections to MTAs from botnets can be problematic, as can exhaustion of quotas and storage space. The sheer volume of spam creates issues with bandwidth and software. At one of my clients, the monday morning email pull crippled both the network and the desktops until I installed an on-site mail server with filtering and reject rules.

If you don't experience any problems with email, it is because of the hard work of mail system administrators. For you to claim that spam is not a problem, despite ample evidence to the contrary is not a tenable or reasonable position. The cost to businesses of dealing with spam is ultimately passed onto customers, I can assure you that we are all "spam victims".

Clearly, you represent the voice of reason here, as indicated by posting anonymously and enriching your arguments with words like "fuckwit", "troll", and "stupid."

Thou doth protest too much; it is you who labelled "spam victims" stupid in your initial comment. Could it be that the words with which I enriched my argument were accurate? I think it is, you sir are a troll and I'm done wasting my time with you!

We need standards (1)

davidbrit2 (775091) | more than 3 years ago | (#36237874)

If only there were some way to reference a page on the internet in a canonical, consistent fashion. A uniform locator for a resource, if you will.

Shortened URLs are comfy in my junkmail folder... (0)

Anonymous Coward | more than 3 years ago | (#36237882)

Lately, pretty much all the junk I recieve involves some poorly worded reference to some sort of sexual act, a shortened URL and a stream of random dictionary picked words (to avoid spam filters I figured...but it fails at that hard)

Yet, strangely, I check today and it's completely different. I have a mix of links: One that I have a feeling is what happens when you click a link via a yahoo search, and another that is www.(strange name).com/Iindex (with 2 'i's, beutifully done...not).

I fully agree and sit by anyone who says they do not trust any of these shorteners, aside from the TinyURL you can preview (thankfully). Sometimes, I even enjoy seeing the full addresses before I click them. You can see where in the website you are, (MASSIVELY importantly), the name and format file youre about to open.
The second you don't know what you're clicking is the second you give someone complete control of your address bar. You just better hope that file was a .jpg and not .js

TFA makes no sense, and spam is optional (0)

Anonymous Coward | more than 3 years ago | (#36237896)

I actually read TFA (well, most of it...) and it makes no sense whatsoever.

Even the shortened URL would require that somebody clicks on a link from a spam mail. Who's dumb enough to do that any more? This isn't 1996 where spam is some new thing people aren't aware of. Everyone who hasn't been living in a cave for the last decade and a half is aware enough not to visit links that a spam mail gives them!

Further, how does the presence of a shortened URL "contribute to a 2.9% increase"? The amount of spam sent is determine by how much is sent, not by the content of it.

I don't know many people who even get spam any more. Most people I know got fed up with it, made a new email, and only use it for "safe" things, and never have it online in a machine parse-able way. For registering with web forums and stuff like that you use a throw-away account and then delete it after you register. You cannot be spammed unless you allow spammers to have your address, and I for one consider that unacceptable, so I don't let them have it. It's easy to not get spammed. I haven't received a single spam in the last 10 years, and I'm blown away that spam is still considered a problem.

Unshrink those URLs (1)

ItsPaPPy (1182035) | more than 3 years ago | (#36238028)

This is why I created http://unshrink.me/ [unshrink.me] To combat all these URL shorteners.

QR Codes, too (1)

bwintx (813768) | more than 3 years ago | (#36238096)

For those not crazy about URL shorteners: it's worth remembering that those whose jobs require creation of QR Codes for insertion in documentation and signage sometimes have to shorten URLs for these Codes. An in-house approach to this is best, IMHO, but YMMV.

Re:QR Codes, too (0)

Anonymous Coward | more than 3 years ago | (#36238220)

I actually ran into the URL shortener debate for a QR code art project I was working on. Ultimately, I decided to have a slightly larger code so that the URL would fit in as plain text, and didn't need to wrap it in a shortner. (It also happened to make the stencil for the code easier to make, but that's another story.) Nerdbait QR Code Project [awkwardengineer.com]

Re:QR Codes, too (1)

greed (112493) | more than 3 years ago | (#36238602)

So, uh, how long does a shortened URL remain valid at one of those services?

I couldn't find anything on TinyURL.com that says what their retention policy is. Is it really a good idea to use URLs you don't control in signage? Or even more so, documentation?

Re:QR Codes, too (1)

bwintx (813768) | more than 3 years ago | (#36240394)

As I said, an in-house approach is best IMHO. That's what I set up for my employer for precisely the reasons you apparently have in mind.

Re:QR Codes, too (1)

petermgreen (876956) | more than 3 years ago | (#36295154)

it's worth remembering that those whose jobs require creation of QR Codes for insertion in documentation and signage sometimes have to shorten URLs for these Codes. An in-house approach to this is best, IMHO

Agreed

but YMMV.

If they are going to get an outsider to supply shorter URLs they should have a contractual relationship with them specifying service level agreements and penalties for not living up to them. Really though the only reason to farm it out is either that your webteam is incompetant or there is a complete breakdown in cooperation between different parts of your organisation.

IMO anyone who uses (of their own violation) a public URL shortener for anything important and/or orders others to do so is grossly incompetant.

Spammers already using public shortening services (1)

Cocodude (693069) | more than 3 years ago | (#36238174)

Including one that I own [ho.io] and when they're in a good mood, they attempt to make shortened URLs as quickly as our servers can handle them, often many thousands per day.

Thankfully, due to the sterling efforts of many of the URL blacklisting services out there, these are purged on the hour, on the day, on the week and on the month automatically, so often don't last that long.

However, if legitimate people start to use the URL shortening services that the spammers provide, it'll hardly be in their interests to remove the spammy redirects.

Mitigation possibility (0)

Anonymous Coward | more than 3 years ago | (#36238282)

We have mitigated this where I work by setting up a dedicated domain that does nothing but redirect short URLs created by library staff and faculty. The base domain of the shortened URL is something we have under our control, so a user who sees one of these shortened URLs knows that it's going to go some place that a professor or a librarian has set up. We maintain this through our staff website, with a Drupal CCK that just has two fields - the short URL and the FQDN of the destination page. It seems to be working out well.

The added bonus is that our short URLs are still meaningful, since a prof or a librarian can pick what they want the short URL to be. We limit them to 6 characters, but it's usually some variation on the resulting page. A few URL shortening services let you pick your preferred URL but most of the good ones are gone now. Plus, we can expire them when they are no longer relevant.

Why (0)

Anonymous Coward | more than 3 years ago | (#36238328)

I actually enjoy receiving spam and replying to it so why block the url shorteners?

Fake, eh? (1)

WD (96061) | more than 3 years ago | (#36238346)

If the link is shorter, then I wouldn't call it a fake URL shortener. I think I more sane explanation of what is going on there is that spammers are using redirectors to avoid detection by users and URL-shortening services.

Nothing to see here.

URL Lengthening Service (1)

aapold (753705) | more than 3 years ago | (#36238452)

I've found people no longer trust short URLs. But give them a long, impressive authoritarian-sounding URL and they assume it must be part of some corporate datacenter they can feel safe doing business with. Right now there are a couple, like Johannes longurl [homepc.org] . It works, but doesn't fill the URL with impressive sounding words. What we need is something tied to a thesaurus lookup with all manner of impressive sounding terms meant to subliminally make the person think they are safe. e.g., reallybigcorporationofamerica.com/htppsss/accounting/security/firewall/lockdown/secureurltoken.shtml&verifiedid=320498982342394ab098f&checksum=0342f&etcetcetc

Re:URL Lengthening Service (0)

Anonymous Coward | more than 3 years ago | (#36238744)

uh, needs to be shorter, methinks. how about www.hold.onto.your.hat.buddy/ha/ha/ha/woohoo.baby

Re:URL Lengthening Service (1)

Kolargol00 (1177651) | more than 3 years ago | (#36247986)

http://hugeurl.com/ [hugeurl.com] is my favorite :)

Something like that? (2)

kill-1 (36256) | more than 3 years ago | (#36238630)

Something like shadyurl.com [shadyurl.com] ? This has always been one of my favorite URL "shorteners".

Shorteners Could Be a Trap (2)

sherriw (794536) | more than 3 years ago | (#36238684)

I always wondered what if a not so scrupulous person set up a url shortening service that operated legitimately for a while getting itself spread all over the web. Then one day they change it so that all the urls now point to a frame with the target site surrounded by ads. It would be mostly too late to stop it, and the terms could be along the lines of "we reserve the right to do anything we want with shortened urls".

It drives me mad when I see URL shorteners used in places that do not have a space limitation. Like on a regular website. I get the point of using it on twitter or txt messages, but on a blog or website? Ug. It's killing the web.

Who are they trying to reach? (1)

defaria (741527) | more than 3 years ago | (#36238730)

Why are spammers so insistent on getting people who obviously are not interested in what they are selling to look at their wares? Are there people who then go "Oooohhh, shiny! I must buy, I must buy"?!? Isn't the point really to get sales? I guess there are people like that and as long as there is, there will be spammers.

Re:Who are they trying to reach? (1)

SleazyRidr (1563649) | more than 3 years ago | (#36239070)

Basically it boils down to the fact that spamming is really cheap. So even if only one in a million people says "Oooohhh, shiny! I must buy, I must buy" it'll still be worth your while.

Re:Who are they trying to reach? (1)

dmomo (256005) | more than 3 years ago | (#36239180)

If it's virtually free to bother 100,000 people to make one sale, it's beneficial to a spammer.

Re:Who are they trying to reach? (1)

cdrguru (88047) | more than 3 years ago | (#36240684)

Spammers aren't paid by people that buy. Spammers are paid by the number of messages sent or messages opened. So if they can fool you into opening it, you just got them paid.

You might think that spammers wouldn't get customers any longer. The problem with that is ... it does work! Send out 10 million emails and you get 10 customers you didn't have before. Assuming it is your standard sort of uncancellable subscription credit card purchase (free - just pay shipping and handling!!!) they probably get $100 for each customer. So they only need a few customers to pay for spamming.

There is no solution to this problem, other than rejecting all email. Maybe allow SPF-validated email but that isn't absolute as I am sure there are SPF records that allow sending from any IP address. Face-to-face communication is pretty much the only way to avoid the problem. Insist on it. Email is unreliable and insecure. Telephones are monitored, recorded, tracked and can be easily spoofed so you think it is your friend Fred when it is a telemarketer. Face to face, it is the only way to be sure.

explain to me (2)

Gnaythan1 (214245) | more than 3 years ago | (#36238982)

why are we not prosecuting the advertisers themselves for fraud? who the hell gives these people money to make this multi-headed, nested box, country jumping, spam monster?

Doesn't it boil down to one end getting spam, and the other end getting money? If there is a way for money to transfer to that end, then there should be a way for people to find that end, and then charge them five times whatever money they made in fines.

Stop hitting HOW they spam, and start hurting WHY.

Re:explain to me (1)

dmomo (256005) | more than 3 years ago | (#36239220)

I agree. I assume it's because it is difficult to prove. I don't see how it couldn't be done if there were pressure on our law makers to all it, though. I guess the pressure just isn't there.

I've tried sending nasty-grams to the sellers. For me it was a dead end. But I'm just a dude.

Re:explain to me (1)

bioster (2042418) | more than 3 years ago | (#36242080)

I would assume you'll run into jurisdiction and cost-effectiveness issues. Let's say you're law enforcement in the US and you find a spammer that you can 100% verify lives and works in Canada, a very friendly nation. To go to the effort of getting Canadian authorities to let you do something about it, wouldn't the spammer have to be operating in (at least!) the tens of thousands of dollars?

Now, what if you can't 100% verify who it is? Or what if you can, but they're in some developing nation with a barely pronounceable name and poor relations? Or what if they only do $5k of business a year? Now how about all of the above?

Yo dawg (0)

Anonymous Coward | more than 3 years ago | (#36239182)

We heard you like short URLs, so we put a shot URL inside of your short URL so your URL can be shortened while it is shortened.

Dont click on links in emails from people you dont (1)

Stan92057 (737634) | more than 3 years ago | (#36239580)

Dont click on links in emails from people you dont know. This doesnt change because they shortened the url. they still are selling the same stuff,penis pills and so on. So the "from" will be fake as always,and the same unreadable subject lines.

Re:Dont click on links in emails from people you d (1)

SteveW928 (2030878) | more than 3 years ago | (#36240762)

It is more a problem with things like Twitter, though I agree, same rule applies... just harder to implement there. My advice, use a good browser, properly setup, on a good OS... then even clicking a bad link isn't a problem for the most part so long as you have a bit of common sense.

Shortened URLs get expanded... (1)

SteveW928 (2030878) | more than 3 years ago | (#36240710)

But, shortened URLs get expanded in the end. So, even if they send you to a fake site, the URL of that fake site will then be apparent. If you're reading an article with a shortened link to some article you think should be at yahoo.com and you end up at yarha.com, then you'll realize you've been improperly redirected. It is a problem if you aren't paying attention, but otherwise, not too big a deal IMO. (Just make sure you have all the 'auto-' anything turned off for your browser so the redirect can't link to something which will download and expand, install, run, etc.). But, that is like security 101 anyway. Someone could put a link on any website that sends you somewhere you don't think it will if you aren't paying attention as well... that has been going on for years! Nothing new, just a slightly different form of it.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...