URI-checking mail filter programs such as SpamAssassin have been updated to filter out the redirected sites when a destination remains visible, for example as part of a path or in a CGI argument. However for those "opaque" redirector sites which hide, encode or key the destination so that it's not visible (after extraction or decoding) in the URI, the only option remaining for URI checkers is to follow the redirector through to see what site it leads to. Clearly this would be too resource-expensive for most mail filters, especially if a chain of multiple redirections were used.
Without a doubt abusers will figure out this loophole soon enough, and the abuse of redirectors in unsolicited messages will increase as a result.
A good solution to the issue of abusers washing their URIs through redirectors may be for the operators of redirector sites to deny services to sites listed on SURBLs. Several operators of redirection services are doing this currently, as you can see from the news below. Perhaps the worst solution would be to do nothing and let abuse of redirector services continue. This also increases the operating and abuse-handling costs of the redirector service, not to mention the costs to the community of unsolicited messages and related phishing and malware sites.
Therefore we appeal to operators of redirection sites to deny access to your services for SURBLed sites. This is easy to do via a DNS query, as explained in the Implementation Guidelines. You may be able to use existing code and scripts that can do these queries on our Links Page, such as surblhost.
Doing this has become practical since reasonably accurate lists of abused URI sites are becoming available such as our SURBL lists at http://www.surbl.org/. For example, Ask Bjørn Hansen of Metamark.net is now using SURBL data to deny services to abusers:
4/30/04: Ask Bjørn Hansen of develooper.com is using SURBL data to block abused sites in the Metamark Shorten™ Service URI shortening and redirection service. This is the first use of SURBL data to prevent abuse of a redirection site that we've heard of! Great going! Ask explains his motivation as: "I mostly did it to make it less likely that I'll have to deal with abusers of the service manually. Hopefully the other redirection services will realize that benefit soon as well."SnipURL is another redirection service that is using SURBLs in a similar way:
7/23/04: SnipURL is now using SURBLs to deny abusers access to their URL shortening and redirection service.And TinyURL is also using SURBLs:
11/17/05: Kevin Gilbertson reports that he has been using SURBLs for "about a year now" to protect his popular redirection site TinyURL.com against abusers and phishers.As is Notlong.com:
11/18/05: Eric Hammond says that his Notlong.com redirection service "has been protected by SURBL since July 2004."And 301url.com:
5/22/06: 301url.com is also using SURBLs to deny redirection services to abusers and phishers.And memurl.com:
8/16/06: Christian Stigen Larsen reports that his surblhost program is being used by the redirection site memurl.com to check sites submitted for redirection and to deny services to abusers.As is easyurl.net:
9/27/06: Mark Jeftovic reports that they "are now checking destination URLs against [SURBLs] and refusing to shorten them via easyurl.net."And YATUC.com:
2/21/08: Daniel Flandorfer says: "Our redirection service YATUC (yet another tiny url creator) uses SURBL data to check links added into the system. Every link will from now on be checked against SURBL and - if not passed - not be added into the system. [...] Additionally, we will periodically check all links in our system and if needed mark them so that they can't be used any longer. Today we already marked 858 links as spam !! We hope that we can help a bit to reduce the massive use of spam urls."And is.gd:
8/4/08: Richard West says, "I consider [SURBL] an extremely valuable tool to deny redirection to the majority of spam sites and greatly decrease the amount of abuse we experience."And Delivr.com:
3/25/09: David Harper says, "Delivr.com has integrated SURBL checks into its mobile-friendly sharing service."
Thank you for your attention and your hopeful consideration in stopping the abuse of your services.