Spam spam spam through's URL shortener


Spammers managed to add a gloss of federal credibility to their websites by recycling the open redirect vulnerabilities of state and local websites through the URL shortener, a Symantec analyst found. has offered a URL shortening service through for government domain websites--those that end in .mil and .gov, for example. The shortened URL includes "" in its address, giving shortened URLs a veneer of federal credibility.

The tool, which says is available to anyone via the website or through tools such as TweetDeck that integrate with bitly, doesn't apply a filter to the URLs it shortens, meaning that spammers who found state and local websites with an open redirect vulnerability have been able to shorten their work-at-home spam webpages with the tool, reports Symantec Senior Analyst Eric Park in a blog post.

An open redirect vulnerability occurs when a web server doesn't control the parameters of a redirect--allowing anyone to create their own redirect on top of a legitimate URL.

For example, Park found that spammers were able to redirect a webpage to a page, creating a "[REMOVED]/?wwvxo" URL. By recycling that URL through the shortener, they hid all traces of spamming in the URL text.

Using data available on, Park found that between Oct. 12 and Oct. 18, 43,049 clicks were made through shortened URLs to spam domains such as and

In a brief interview, he said the spamming activity dwindled to nearly nothing over the weekend.

For more:
- read Park's blog post on

Related Articles:
Email authentication lags in federal government
Trojans spiked in second half of 2011, says report