Friday, February 4, 2011

URL Shortener Spam Overrunning Blogger Stats

URL shorteners are in your web logs, stealing your clicks. Ok, maybe not in all your logs, but certainly they can show up in reports, tricking you to click on them, potentially exposing you to spam or viruses.

If you aren't familiar with URL shorteners, they evolved as a method to take those terribly unwieldy web page addresses (you know, the ones with all the random-seeming numbers and letters that go on forever) and replace them with short, simple addresses. Just being able to paste these shortened addresses into emails without them wrapping was already a good enough reason to use them. Twitter has made them a necessity thanks to its character limit coupled with peoples' desire to include some commentary on links they tweet. The process by which they work is simple — you provide one web address, and the shortener service provides another simple address that redirects all traffic to the address you provided.

But there is a risk. This obfuscation of the destination address makes it hard to quickly evaluate whether or not this is a link you want to follow. You can use these to RickRoll your friends, for example, hiding the true destination of the link. You can also choose links that are far less innocuous. There are many more issues with link shorteners, ranging from link rot to reporting, topics which I have discussed here before, but this time I want to focus on the destination address obfuscation, or what I am now calling Link Lying. And now I'm done calling it that.

There is a new trend that's been annoying me for some time now, but has picked up dramatically in the last few days. When I go to my Blogger Stats tab to see what kind of traffic this site is getting (which may be anemic, but is still valuable to me) I no longer see pages of value in the Traffic Sources section ("referrers" to us in the know, or "referers" if you misspell it like the HTTP spec does). Instead I see a stack of shortened links, nearly all of which point to the practically-prostitution site Adult Friend Finder (if I thought it was run by a bunch of whores before, this game of lying through linking just solidifies that opinion).

I am prepared to take the risk with shortened URLs from my Twitter stream, but I follow a list of people that I trust not to spam me. If they did, I simply wouldn't follow them. I know not to click on links from DM spam (such as when a friend's account is hacked). I know not to click shortened links in unsolicited emails. I had not considered that I'd have to apply the same wariness to my Blogger reports. This image demonstrates how these shorteners have taken over my stats, successfully tricking me twice now to click (this image shows just traffic from today).

It's not like the spamming in my stats is a new trend. I see links to sites show up regularly that clearly do not link to me in any way, but manage to get themselves in there regardless. But I don't click on those. I can tell by looking that they are spam. These next images show a week of stats, a month of stats and a year of stats. You can see how the value of this report has dropped off dramatically now that spammers have figured out how to overtake it.

Of the 7 (out of 10) links the other day that were from shorteners, only one presented me with a warning message from Bit.ly that the link itself might be a bad idea to follow. As you can see, this one points to the same site of liars that I reference above. Apparently this one has been reported by another user who was spammed and Bit.ly has flagged it.

But what's telling about this message is insight into how this bait and switch is possible (Bit.ly's language, not mine):

  • Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.
  • Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.
  • Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.

For those of you young studs looking to break into the cheaters and liars world of spamming via link obfuscation, that's all you are going to get from me out of this post. I think, however, it's pretty clear how this happens.

How You Can Avoid This

In this example, until Blogger fixes how these are reported by pre-filtering the links, you really can't avoid them. I recommend installing a link previewer in your browser. For example, in Google Chrome I have installed ChromeMUSE, which allows me to see the destination of the link before clicking it. Now I can see where the link goes without the risk of infecting my computer or otherwise visiting the site of a pack of liars.

Rely on a more robust service such as Google Analytics, or even something that reads your web server logs like WebTrends (which captures data on all browsers, not just the ones that can run the JavaScript that Google Analytics uses). Leaning on your Blogger dashboard is nice for a quick review, but when the referrers are spam links, you have to wonder how much of that represents real traffic and not just an attempt to show up high enough in your logs for you to click the link.

Net Effect

I already have a problem with link shorteners. I've said as much in previous posts:

I don't trust that a shortened URL will bring me to a safe page. Certainly not when the link comes from a third party, an untrusted source. So if I get an email or a forwarded tweet, for example, and I see a shortened address you can be confident I won't click it. I am not the only one who feels this way. More people are coming over to this camp all the time. Eventually people will not trust shortened links on the whole.

In time we'll see more organizations who have rolled their own or branded a service like Bit.ly with their own address, letting Bit.ly perform all the technical work (redirections, reporting). Web content management systems are finally catching up to the trend, offering aliasing features to allow organizations to create shorter addresses for pages, sometimes bypassing the need for a shortener altogether. In time you may come to recognize a branded URL shortener, like nyti.ms or 4sq.com, and if you trust that organization then you may be comfortable clicking the link.

Related

Update: Feb. 26, 2011

While I didn't think this was unique to Blogger (which has improved dramatically as of late, thankfully), Vox (Scott) posts his own Wordpress stat frustrations and provides a nice link back to me.

Update: June 26, 2012

Found a post from May 2012 dealing with a similar issue, Link Shorteners and Referral Spam Suck. It was over a year since I posted this article and the problem still isn't going away. We may all just be getting used to it.

No comments:

Post a Comment