A couple of weeks ago, I blogged on the topic of whether or not Twitter spam was possible. It turns out that not only is it possible, but it’s rampant and really annoying.
I signed up for Twitter a couple of weeks ago and without even having written a single thing, I already have 3 followers. But there’s a catch, they’re all spammers! My followers look like this:
That scribbled out red blob is a link to a URL redirection site which points to a spam landing page. And speaking of URL shorteners, this past week All Spammed Up wrote an article highlighting this phenomenon. In an age of Twitter where you only have 140 characters to get your point across, services like TinyURL are useful for compressing really long links so you can save precious characters in the link. But that’s not the only one, there’s SnipURL, Bit.ly and Cligs. The former two have been used in spam for a long time, the latter two I gleaned from my Twitter "followers". I don’t know whether or not they are used in spam.
I checked out all of these sites… and I couldn’t believe the insecurity running on them! It was unreal! All I had to do was enter in a URL, click the button and bam — I had a compressed URL ready for me to use.
Now remember Terry Zink’s Rule of Free Stuff – If you give something away for free, people will abuse it. This is no different, a spammer could easily automate the creation of compressed links and use those to send out spam (or create twitter followers, or live spaces blog sites, or Yahoo Groups invites, or…). There was no CAPTCHA on the site either, so all that would need to be done is have a spammer write a script to plug tons of these things in there. A spam filter could not easily key on the URL in the message to block the message since the root domain is all the same; the filter would have to travel through to the site and then extract the URL to see if it was good or not.
I then thought "Well, maybe these guys should, at the very least, do their own reputation filtering and stop these things at the source." Why couldn’t a shortening service subscribe to URIBL, SURBL or Invaluement and perform reputation and prevent abusive domains from being compressed? I tried it out on my Twitter followers and the results were that the domains that I was redirected to were not listed on any of those sites. This means that these are URLs that are avoiding the bad reputation listing meaning that even if these sites did do some input validation, it wouldn’t matter (for my limited sample set of 3 which I am incorrectly extrapolating to the entire data set to make a point).
My uberpoint is that shortening services need to clamp down on their openness. Yes, I know they want to simplify things but I can guarantee that spammers will start to exploit that freedom and will ruin it for everybody.