An Open Howl to Senator Tester and Representative Simpson
Top 10 Advanced Persistent Threats

Do URL shortener services generate "safe" URLs?

URL shortener services, whether web-submission forms or embedded capabilities in blogs and Twitter, are a blessing because they take a long hyperlink and make it smaller and convenient for messaging service with character limits. They are a bane because the shortened URL obfuscates the original URL. Shortened URLs as useful to phishers or spammers as they are to tweeters, bloggers, and email users, because:

  • the shortened URL conceals the original, spammy/phishy URL from users (this is the same effect that spammers and phishers hope to achieve by embedding URLs in HTML email)
  • users may believe that their shortener service is trustworthy, or
  • that all services take measures to prevent a spam or phish URL from being shortened.

The sad reality is that popular URL shortener services come up short when it comes to generating "safe" short URLs.

Safetly Testing Shortened URLs

In March 2011, I ran a greatly simplified set of checks based on the testing reported by StopTheHacker in February 2010. First, I went to SURBL and grabbed the list of services that claimed to use SURBL block lists. Some of these were sign up sites, so I  chose additional URL shortener services from  lists enumerating the most popular services [1, 2] to get to a nice round 11 (a baker's ten?).  I then identified 4 malicious URLs from SURBL, PhishTank, and Spamhaus and tried to shorten these 4 URLs using each of the 11 services.

The results are summarized in the table below. You'll note that some services claim to use SURBL but did not block the SURBL URL. These services may have changed their practice and did not inform the SURBL team or perhaps that they cache block lists rather than perform checks each time they shorten a URL. You'll also note that some services block fresh Spamhaus spam URLs but not suspended domains. It's possible that some services will convert a correctly formed URL without checking if the domain is spammy/phishy or even if the domain name resolves. Since "allowed" is not a desirable result, I didn't pursue this further.

Service Uses SURBL SURBL-listed
URL listed on
Suspended Domain
on Spamhaus DBL
Spamhaus DBL
(fresh spam ) YES
 allowed   allowed   allowed   allowed ?  blocked
 blocked YES  blocked
 allowed   blocked 
 blocked NO
 allowed   allowed YES  blocked 
 allowed   blocked 
 blocked YES  blocked 
 allowed   blocked 
 blocked ?  allowed   blocked
 allowed   allowed YES  blocked 
 blocked YES  blocked 
 allowed   allowed YES  allowed   allowed   allowed   blocked NO
 allowed   allowed   allowed   allowed 


allowed indicates that the service did not prevent the shortening of a block listed URL.
allowed indicates that the service allows shortening of a block listed URL but warn

              that the link is possibly abusive.
blocked indicates that the service detected and prohibited shortening of a block listed URL.

If you want to run the tests again, or against your favorite service, here are the URLs I used:

SURBL-listed domain tested:

URL listed on Phishtank : this was a verified phish at time of testing

Suspended domain listed on Spamhaus
(this domain was on DBL and did not DNS resolve at time of testing)

Spamhaus DBL (fresh spam 3/27/11):
(this domain was on DBL and still DNS resolving at time of testing)

Irrespective of whether you test other services or just review the list, I encourage you to go green and use one of the services that pass at least 3 of the four checks I ran.

Some of you may ask, "Should I trust services that allow me to peek at or preview the original URL?" Previewing is a nice feature, and it's offered by,,,,,, and

Preview at least gives you the same opportunity to stop, look, connect that many email clients offer, but it's not an adequate substitute for checking URLs before shortening.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Great post as this topic is never thought of. I use url shortening services quite often but I will take care of this often as my url might also get affected.

Thank you for the testing, it looks like I'll be using

Usually I use URL shortener services for SMO of my links.According to me its safe but your research has created a doubt in my mind about my views.However its really a nice informative blog,I liked your research about the topic.


You are so bad...

is now

This is excellent advice, and very timely. I work for Symantec, and we recently released the findings of our Internet Security Threat Report, Volume 16, which found that attackers overwhelmingly leveraged the news-feed capabilities provided by popular social networking sites to mass-distribute attacks. In a typical scenario, the attacker logs into a compromised social networking account and posts a shortened URL to a malicious website in the victim’s status area. The social networking site then automatically distributes the link to news feeds of the victim’s friends, spreading the link to potentially hundreds or thousands of victims in minutes. In 2010, 65 percent of malicious links in news feeds observed by Symantec used shortened URLs. Of these, 73 percent were clicked 11 times or more, with 33 percent receiving between 11 and 50 clicks.

The comments to this entry are closed.