14 DAY TRIAL // Security researchers from MessageLabs, Symantec's email security arm, warn that spammers are increasingly using shortened URLs in their campaigns. Compared to the first half of 2009 when one in 1,769 spam emails contained a shortened URL, the ratio for H1 2010, was of one in 76. The trend is expected to continue.
In it's Messagelabs Intelligence report for July 2010 (PDF), Symantec reports that the 0.5% shortened URL spam threshold, was exceeded for 68 days during the first half of this year. This is more than double of the number of similar days recorded for the entire 2009, suggesting that the abuse of URL shortening services is becoming a standard practice rather than an occasional occurrence.
As far as the origins of email spam using shortened URLs is concerned, the security vendor says that a new botnet, which appeared in May accounts for more than half of the output (56.91%). Other unidentified sources, that might be automatically registered and misused Webmail accounts, are responsible for another 28.03%.
The top known threat sending this type of spam is the new Storm botnet, which outputs 11.83% of junk emails containing shortened URL. Other spam botnets like Rustok, Maazben, Cutwail or Mega-D, have not yet adopted the practice and are each putting out less than 1%.
"URL shortening services work by hiding the URL of the true website by replacing it with the domain of the service followed by a unique key that redirects the visitor to the original website. When spammers include a shortened URL in their spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails," the MessageLabs researchers explain.
The company's stats reveal that doiop.com is the most abused URL shortening service, links generated through it being used in 11.6% of such spam emails. Next on the top 5 list are moourl.com (6.6%), to.ly (6.6%), ho.io (6.3%) and tiny123.com (4.8%). It's worth noting that none of the big players like Bit.ly or TinyURL are very targeted.
You can follow the editor on Twitter @lconstantin