Twitter moves to mitigate abuse

  • Article

Twitter recently announced that taking action to mitigate spam and abuse of its service:

A couple weeks ago, Biz explained how Twitter users were being victimized by phishing scams spread primarily through links in Direct Messages. Basically, people click the link and bad things happen. My team can only detect these scams after malicious links have already been sent out.

Today, we’re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks. By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we'll be able keep that user safe.

I’ve lamented in the past how URL shortening services are very insecure.  All it takes is for a spammer to run a malicious URL through there and then use that shortened URL in a spam message.  They do this because they know that spam filters will often block on the reputation of a domain.  If the spammer includes a known good service like Bit.ly, Tr.im, or Cli.gs, these domains are all known good users.  It is similar to a spammer taking over a legitimate email service like Hotmail, Gmail or Yahoo Mail.  It is reputation hijacking.  In the case of the URL, unless the spam filter follows the URL and finds out what domain it actually points to, it cannot use URL reputation as part of its antispam service.  Most spam filters do not have the time to follow through shortened URLs.

What Twitter is doing, or rather appears to be doing since I don’t know exactly they are doing, is subscribing to a URL reputation service.  These services are populated with URLs from around the Internet that have been deemed malicious by reliable sources.  If the URL is part of the reputation services feed, Twitter will disallow the link.  It’s like an IP blocklist for URLs.  Twitter extracts the URLs, scans them against this service, and if they don’t show up the link is allowed to be tweeted.  If not, too bad.  Thus, they are proactively mitigating the abuse by outsourcing some of their anti-abuse technologies to those who have a lot of experience doing it.  Good for Twitter.

Now, if only we could get all of the URL shortening services to subscribe to these reputation services.