home   |    updates   |    domainlist   |    snork.ca

About

This used to be shorturlbl.ca but I eventually decided to drop the domain and just migrate the content (and DNS entries) over to my main site here. If you run an email server you have probably discovered that for every legitimate email, MANY spam messages need to be evaluated and marked or discarded. On my mail server I sometimes see spammers using URL Shorteners to hide their crappy and hacked domain names. So I made this DNS based blacklist of URL shorteners that can be used to help evaluate what is or is not spam.

It is important to note that I typically only list sites that are cost-free, account-free, and which can be used to shorten ANY URL. For example, I do not list t.co because it will only allow people to create short URLs to twitter.com. I also do not list any shorteners that require you to setup an account or pay money to create your shortened URLs. Spammers are very unlikely to take the time to setup accounts or to pay money in order to make their short URL

How It Works

My DNS servers will give an answer of 127.0.0.2 for URL shortener domains in the format:

exampledomain.com.shorturlbl.snork.ca

For example, both reddit.com and 0a.sk are valid domains, however when you query reddit you get:

$ nslookup reddit.com.shorturlbl.snork.ca

*** ns1.snork.ca can't find reddit.com.shorturlbl.snork.ca: Non-existent domain

... while if you query 0a.sk you'll get this:

$ nslookup 0a.sk.shorturlbl.snork.ca

Name:     0a.sk.shorturlbl.snork.ca
Address:  127.0.0.2

To get an application like Spamassassin to use the DNS blacklist you need to configure your Spamassassin with a custom rule. I strongly recommend using a meta rule to score these URL shorteners, because you wouldn't want to block ALL messages that contain shorteners, in case a legitimate sender uses one of them. Try something like this:

urirhssub  FU_SNORKBL   shorturlbl.snork.ca A 127.0.0.2
body       FU_SNORKBL   eval:check_uridnsbl('FU_SNORKBL')
tflags     FU_SNORKBL   net
describe   FU_SNORKBL   This email contains a link to a URL Shortener site.
score      FU_SNORKBL   0.01

rawbody    __FU_MARKETING  /marketing/i
meta       FU_SHORTENER1   (__FU_MARKETING && FU_SNORKBL)
score      FU_SHORTENER1   6.5
describe   FU_SHORTENER1   The term marketing and an URL shortener site.

Normally you would probably use double underscores on the FU_SNORKBL rule name (to hide them from results), but meta rules still work without them and if you leave out the double underscores you'll be able to see how often the shortener rule is being hit on non-spam messages too. These rules will basically tell Spamassassin to go through the message looking for any URLs, and make a DNS query for each of them against the shorturlbl.snork.ca list. If it gets a hit, and if it also has the word "marketing" in the message, it'll get scored 6.501 points.

If you're getting hit with shortener spam you'll have to look through them for unique words, phrases, or other attributes that separates them from legitimate mail and write up some fancy meta rules that suit your spam style.

Contact

If you're having trouble setting up some rules for your system, or if you think I should add/remove a domain, email me at admin at snork dot ca and I'll see if I can help eh. If nothing else, just send me an email to tell me that you use the list, so I won't feel like I am wasting my time here.