URI-checking programs have been updated to filter out the redirection sites when a destination remains visible, for example as part of a path or in a CGI argument, but for those "opaque" redirectors which hide or encode or key the destination so that it's not visible (after extraction or decoding) in the spam URI, the only option remaining for URI checkers is to follow the path through the redirector to see where it leads. Clearly this would be too resource-expensive for most spam filters, especially if a chain of multiple redirections were used.
Without a doubt spammers will figure out this loophole soon enough, and the abuse of redirectors in spams will increase as a result.
The best solution to the issue of spammers washing their URIs through redirectors would be for the operators of redirector sites to deny services to spam domains. Several operators of redirection sites are doing this currently, as you can see from the news below. Perhaps the worst solution would be to do nothing and let spammers abuse redirectors at the cost of supporting typically illegal theft of services by spammers, their sites, and their operations, however indirectly.
Therefore we appeal to operators of redirection sites to deny access to your services for spam domains.
We believe that doing so is technically feasible since reasonably accurate lists of spam URI domains are becoming available as a result of anti-spam efforts such as our SURBL lists at http://www.surbl.org/ . For example, Ask Bjørn Hansen of Metamark.net is now using SURBL data to deny services to abusers:
4/30/04: Ask Bjørn Hansen of develooper.com is using SURBL data to block spammer domains in the Metamark Shorten™ Service URI shortening and redirection service. This is the first use of SURBL data to prevent abuse of a redirection site that we've heard of! Great going! Ask explains his motivation as: "I mostly did it to make it less likely that I'll have to deal with abusers of the service manually. Hopefully the other redirection services will realize that benefit soon as well."SnipURL is another redirection service that is using SURBLs in a similar way:
7/23/04: SnipURL is now using SURBLs to deny abusers access to their URL shortening and redirection service.And TinyURL is also using SURBLs:
11/17/05: Kevin Gilbertson reports that he has been using SURBLs for "about a year now" to protect his popular redirection site TinyURL.com from abuse by spammers and phishers.As is Notlong.com:
11/18/05: Eric Hammond says that his Notlong.com redirection service "has been protected by SURBL since July 2004."And 301url.com:
5/22/06: 301url.com is also using SURBLs to deny redirection services to spammers and phishers.And memurl.com:
8/16/06: Christian Stigen Larsen reports that his surblhost program is being used by the redirection site memurl.com to check sites submitted for redirection and to deny services to spammers.As is easyurl.net:
9/27/06: Mark Jeftovic reports that they "are now checking destination URLs against [SURBLs] and refusing to shorten them via easyurl.net."and YATUC.com:
2/21/08: Daniel Flandorfer says: "Our redirection service YATUC (yet another tiny url creator) uses SURBL data to check links added into the system. Every link will from now on be checked against SURBL and - if not passed - not be added into the system. [...] Additionally, we will periodically check all links in our system and if needed mark them so that they can't be used any longer. Today we already marked 858 links as spam !! We hope that we can help a bit to reduce the massive use of spam urls."
Thank you for your attention and your hopeful consideration in stopping the abuse of your services.