home   |   updates   |   domainlist
About

This all started as a post at some other web site I have. In short, I run my own mail server and I don't much care for spam. Along the way somewhere I found that a fair number of the spam messages I receive have links to URL shorteners in them. The idea of a URL shortener is that some social media services like Twitter limit the number of characters you can put in a message, so being able to use an URL shortening service makes links easier to fit in a message.

The trouble is, spammers figured out that they could use these url shorteners to hide their spammy domains. As a result the URL shortener thing eventually got me irritated and I setup this DNS list of shorteners so I could use it to help evaluate spam. Eventually I decided to buy this domain and make my list public so other people could use it to block spam too.

It is important to note that I only list sites that are cost-free, account-free, and which can be used to shorten ANY URL. For example, I do not list t.co because it will only allow people to create short URLs to twitter.com. I also do not list any shorteners that require you to setup an account or pay money to create your shortened URLs. Spammers are very unlikely to take the time to setup accounts or to pay money in order to make their short URLs.

How It Works

I have DNS servers that answer when someone tries to query anything in the shorturlbl.ca domain. The URL shortener domains are setup on my DNS servers as a subdomain of mine, and the address 127.0.0.2. For example, if you query 0a.sk.shorturlbl.ca you'll get this:

C:\> nslookup 0a.sk.shorturlbl.ca 69.165.220.221
Server: ns1.snork.ca
Address: 69.165.220.221

Name: 0a.sk.shorturlbl.ca
Address: 127.0.0.2

If you do the same thing for reddit.com.shorturlbl.ca you get an NXDOMAIN reply like this:

C:\> nslookup reddit.com.shorturlbl.ca 69.165.220.221
Server: ns1.snork.ca
Address: 69.165.220.221

*** ns1.snork.ca can't find reddit.com.shorturlbl.ca: Non-existent domain

Both are prefectly valid domains and both have some kind of web site, however the URL shortener domain provides you with the 127.0.0.2 reply from my DNS servers. To get Spamassassin to use the DNS blacklist you need to add some lines to your Spamassassin config files. I strongly recommend using a meta rule to score these URL shorteners, because you wouldn't want to block ALL messages that contain shorteners, in case a legitimate sender uses one of them. Try something like this:

urirhssub  FU_SNORKBL   shorturlbl.ca A 127.0.0.2
body       FU_SNORKBL   eval:check_uridnsbl('FU_SNORKBL')
tflags     FU_SNORKBL   net
describe   FU_SNORKBL   This email contains a link to a URL Shortener site.
score      FU_SNORKBL   0.01

rawbody    __FU_MARKETING  /marketing/i
meta       FU_SHORTENER1   (__FU_MARKETING && FU_SNORKBL)
score      FU_SHORTENER1   6.5
describe   FU_SHORTENER1   The term "marketing" and a URL shortener site.

Normally you would probably want to use double underscores on the FU_SNORKBL rule name, but meta rules still work without them and if you leave out the double underscores you'll be able to see how often the shortener rule is being hit on non-spam messages too. These rules will basically tell Spamassassin to go through the message looking for any URLs, and will make a DNS query for each of them against the shorturlbl.ca list. If it gets a hit and if it also has the word "marketing" in the message, it'll get scored 6.501 points.

If you're getting hit with shortener spam you'll have to look through them for unique words, phrases, or other attributes that separates them from legitimate mail and write up some fancy meta rules that suit your spam style.

Contact

If you're having trouble setting up some rules for your system, or if you think I should add/remove a domain, email me at admin at snork dot ca and I'll see if I can help eh. If nothing else, just send me an email to tell me that you use the list, so I won't feel like I am wasting my time here.