Real Magnet

The Dangers of URL Shorteners In Email

If you’ve spent any time at all with Twitter, you can’t have failed to notice the popularity of URL shortening services. Shorteners take long URLs and shorten them to just a few characters to help users keep URL length under the 30-character limit imposed on them by the microblogging service (not to mention the overall 140-character limit on tweets).

Senders who use social marketing alongside their e-mail campaigns are often tempted to use URL shorteners in their e-mail creative, often for a variety of reasons. Many of the most popular free services (bit.ly, owl.ly, and others) offer very slick-looking link tracking metrics dashboards. Senders like the idea (with good reason) of using a single interface to track link activity across all of their electronic marketing channels.

In addition, long URLs look ugly in the text version of their creative, which is displayed on old-school feature phones and some of the older (but still widely-deployed) versions of Blackberry smart phones. Links in the creative can wrap three or four times on a small phone screen, but a five-character link means that much more of the actual marketing message can be displayed without scrolling.

But there are a couple of compelling reasons why senders should think twice about using free link shortening services in their marketing e-mail.

A growing number of recipient domains are blocking or quarantining mail containing links generated by URL shorteners. Spammers have quickly discovered that they can use these services to mask their landing pages, which often contain browser exploits that allow them to inject viruses or other malware onto their recipients’ computers. Spammers can also use the services to help disguise web sites that are carefully crafted to resemble on-line banking portals or other high-value targets to try and capture log-in credentials from unsuspecting recipients.

The security industry has responded quickly to this new vector for e-mail abuse. A few weeks ago, blocklist publishing giant Spamhaus introduced a new blocklist specifically for domains known to be used by shortening services, and in that brief time, bit.ly – arguably the most popular shortening service – has already been blocklisted at least once.

Spammers have responded in kind by creating their own URL shortening services, which they then combine with other, legitimate services to evade filters. They’ll create a string of redirects that hop from their own service to one or more legitimate services before finally bringing the recipients’ browser to a trojan-loading page to try and sneak past security scans that may only check one or two hops down the string.

The heavy security surrounding URL shorteners means that automated filtering processes are often checking every shortened link in the content of e-mail for landing pages that are known to be associated with spam and malware attacks. Clicks generated from these automated checks are indistinguishable from human-generated clicks, and as a result, senders often see wildly inflated click through rates on e-mail that contains shortened URLs. Numerous Real Magnet Clients have called in asking how links to the same content (one shortened, the other not) can exhibit such different results in the click through rate. Now you know why.

Real Magnet customers may have noticed recently that we have some nifty solutions to these issues in the pipeline. This summer, our users will be able to manage all of their social and e-mail marketing channels – Twitter, Facebook, LinkedIn, and Magnet Mail – through a single integrated dashboard. In addition, we’re getting ready to roll out our own secured URL shortening service so that the text version our customers’ messages aren’t overburdened with ungainly multi-line URLs. The service will be secured for the exclusive use of Real Magnet customers, so that attackers can’t abuse the offering in a way that would prompt a blocklisting, or raise the hackles of automated link checking filters.

The siren song of free URL shortening services in e-mail is difficult to resist, but senders who succumb may see both deliverability and reporting suffer. Help is on the way for Real Magnet users this summer. Stay tuned to Real Magnet blog for more updates.