On Tue, 3 Apr 2018 11:21:35 -0400 Rob McEwen <r...@invaluement.com> wrote:
> Thanks for all you do! And good luck with that. But there are a few > potential problems. When I analyzed Google's shortners about a month > ago, I found that a VERY large percentage of the most malicious > shortened URLs were a situation where the spammers were generating a > unique shortner for each individual message/recipient-address. We found that too, but in most cases, they generated the unique URLs by adding query parameters to the same base URL, sort of like this: http://malware.net/?id=znsjdsjau http://malware.net/?id=aosu94e etc... and then shortening them. So if you blacklist just the base URL, you cover those all off, assuming you expand out shortened URLs as part of your processing, of course. > Meanwhile, in my analysis I did about a month ago, about 80% of > Google's shortners found in egregious spams (that did this one-to-one > shorter-to-recipient tactic)... were all banging on one of ONLY a > dozen different spammers' domains. Therefore, doing a lookup on these > and then checking the domain found at the base of the link it > redirects to... is a more effective strategy for these - whereas, for > THESE 80% of egregious google shortners, a full URL lookup is > worthless, consuming resources without a single hit. Yep, that's what we found too. Regards, Dianne.
