Terry Zink posted an article recently talking about an announcement by Twitter earlier in the month and the actions they are taking to further protect their users against phishing attacks;  they state:

By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.

Based on information from their support pages (here and here) it seems they will use (at least in part) Google Safe Browsing. Users will see the twt.tl shortener service appearing, and it will only be on DMs (Direct Messages) and the email notifications they generate, for now.

URL shorteners work pretty much as the name might suggest, taking a long URL (which might perhaps look ugly) and converting it to a much shorter one. With the rise of Twitter and other microblogging services, the need to save the number of precious characters used has seen an explosion of URL shortener services. In fact, there is a good chance that you came to this posting via one of these services.

As Terry points out in his post, these services have a fundamental flaw since spammers can and do use them to hide the true destination of their malicious URLs. The URL that they then post out is the shortened one and since the domains used are essentially ‘good’ some domain-based filters won’t flag these URLs as spam. His post finishes with:

Now, if only we could get all of the URL shortening services to subscribe to these reputation services.

We’d like to second that comment and call on URL shortening services to take more proactive steps to identify and reduce the volume of spammy links submitted via their services. Even though it only really targets phishing and malware sites, Google has an API for their Safe Browsing service which would be a useful starting point.

Within the Security Operations Center at Cloudmark, one of the many things we keep an eye on is potential new URL shortener services. Our system takes these shortened URLs and follows them to their lengthier original state. This allows us to treat any shortened URL as if the original URL had been posted and use the reputation of that rather than the URL shortener service.

One of the big problems here, though, is the sheer number of such services that are available; you can even run your own. To give you an idea, here are some numbers:

• Total number of shortener services discovered: 707
• Total number of shortener services seen in the past week linking to spammy websites: 275
• Total number of shortened URLs seen in the past week linking to spammy websites: 5868

(‘past week’ here refers to the 7 days leading up to 30th March 2010)

So in the past week nearly 40% of the URL shortener services that we know about were abused by spammers, and of those, each was used a little over 20 times on average. These are just the services we know about! Every day we discover more, and now also have some semi-automated systems in place to detect new services before us humans do. This helps us react to new spam attacks using shortener services much quicker.

We’d love to hear from any URL shortener service that does take abuse of their service seriously and takes proactive steps to identify and remove spammy links from their service.

A new GSMA (mobile operators association with nearly 800 members) initiative has just been announced to deal with mobile spam sent by SMS. This is called the GSMA Spam Reporting Service which is moving into a Pilot phase with AT&T (USA), SFR (France) and Korea Telecom (you guessed it South Korea) where the phone users on their networks will be able to forward any spam messages they receive to a short code which will try to be standardized on 7726 which spells SPAM on the handset.

Cloudmark is pleased to be working with the GSMA in this initiative and will be doing analysis on the spam messages forwarded to generate reports for the GSMA to pass on to the operators, so they have a clear view on the spam entering & leaving their networks. This will enable the mobile operators to take informed policy decisions to stop this abuse and to implement targeted in-network content control solutions.

Many people in the Western world will not have seen much spam on their phones via SMS yet but it is out there (I have had a handful already this year in the UK and our own research 2 years ago shows that even then 66% of people have received some) and in Asia it is already a big problem due to the much cheaper cost of sending SMS. And the costs in Europe and North America are only going one way, down.

The rapid adoption of smartphones, the users inherent trust of their mobile device along with the shrinking costs of sending SMS messages makes the economics of sending spam, phishing and viruses (as URLs in the SMS message which host malware to run on the smartphone) more attractive every day.

A policy proposal has been floated for discussion at the next ARIN Public Policy Meeting, to be held in Toronto in April. This new policy, if implemented, would allow ISPs to substitute their own contact information in place of their customers’ information in network reassignments and reallocations, in the name of protect business interests. Functionally, this would be similar to the whois “Privacy Guard” services that many registrars offer their domain registrant customers, but it would apply to information provided while researching network owners, rather than domain owners.

This policy, if implemented, would have multiple consequences, both positive and negative. Cloudmark would like to hear from our readers regarding their opinion of this possible change – please feel free to use the comments section below to let us know how you feel about it.