We just had to help a MailChimp customer whose email campaigns got this strange warning by gmail:
To be honest, I’ve never seen that warning, and have no idea what exactly triggered it. As you can see, the email was also sent straight to gmail’s junk folder.
On the surface, nothing about the campaign looks bad. The general content of the campaign is fine. The sender is not in a risky business (it’s a church). Their email delivery infrastructure (ahem, mailchimp) is fine. So what gives?
We ran the campaign through our inbox inspector, and got the following “spamminess” score:
Notice it failed Barracuda, Cloudmark, and Postini. It also triggered one rule in Spam Assassin (which, btw, is used in some way, shape, or form by just about all the other spam filters) that got 2 whole points. By now, we should all know how spam filters generally work, and that you shouldn’t use “trigger words” like “FREE!” or “BUY NOW!!!” in your content. But even when you do, those words usually only get assigned a few fractions of a point. Go to this list of spam assassin rules and CTRL+F for the word “FREE!” to see what I mean.
But when you see something getting 2 whole Spam Assassin points like this, something’s very wrong.
The rule that was triggered? The message contained a URL listed in the URIBL Blacklist. Upon closer inspection, it turns out they were using a URL shortener (you know, something like tinyurl.com). I’m not going to name names, but this URL shortener wasn’t quite as well known as most of the others I’ve heard of. No idea if it has a bad reputation, but if it’s new on the scene, chances are high that it doesn’t have enough of a reputation.
In general, URL shorteners are great tools that serve a good purpose, but spammers have abused the heck out of them to disguise their (already blacklisted) links.
In response, some spam filters make a habit out of “clicking” all URLs in an email, just to follow redirects from URL shorteners, and analyze the landing page they’d take you to. Which, btw, can lead to some unintentional unsubscribes, but that’s another topic.
If this is all new and fascinating to you, check out this article from Laura Atkins at Word To The Wise: Failed Delivery of Permission Based Email. She covers a few other seemingly innocent but oft-abused URLs that can get your messages blocked.
But it’s not just URL shorteners at risk. Any domain name with a bad reputation can get blocked. For example, there’s this article from yours truly:
Is Your Domain Name Getting You Blocked?
Finally, if you’re a MailChimp customer be sure to check out our built-in, one-click email checker: Inbox Inspector. It can help you prevent renderability and deliverability problems before you send your campaigns.
Return Path wrote about URL shorteners this week, too:
http://www.returnpath.net/2009/08/dont-snip-your-best-asset.php
@JD – Thank goodness too, because I published my article and thought, “it really could use a little more technical meat.” That was a nice read – never knew there was a consortium for redirector abuse. http://projects.webappsec.org/URL-Redirector-Abuse
That was neat. I have also found that if your content has too many links from sites of ill repute, you end up with the same problem.
So far as URL shorteners are concerned, I would recommend http://www.aafter.com. It generates not one, but a number of tiny urls that can be used on the server.
[...] Many anti-spam systems are suspicious of shortened links (because of their popularity with malware distributors) and may block them outright. [...]
I am seeing the same thing happening to my emails in Aweber when delivered to GMail. Not fun.
@Dave – A quick lookup via URIBL might help you pinpoint the culprit, and then I’m sure the folks at aweber can help you resolve it in no time.
[...] info: Make Your Own ShortenerDon’t Snip Your Best AssetUrl Shorteners and Blacklists Tagged in: short url, [...]
[...] URL Shorteners and Blacklists In general, URL shorteners are great tools that serve a good purpose, but spammers have abused the heck out of them to disguise their (already blacklisted) links. In response, some spam filters make a habit out of “clicking” all URLs in an email, just to follow redirects from URL shorteners, and analyze the landing page they’d take you to. (tags: deliverability) [...]
Thanks for the heads up. I’m thinking of writing my own script so I can use a subdomain on my own site to do redirects. Hopefully that will minimize the risk of this sort of thing… and it helps witth branding.
Just in case you don’t want to re-invent the wheel, there’s an open source url shortener script at yourls.org that lets you host a URL shortener on your own domain (and make it private so only you can use it)
I’ve started using my own short domains instead of the big URL shorteners for just that reason (branding). It also helps to make sure your domain isn’t blacklisted because you can set it so that only you have access to it.
You can find some neat short domains using domai.nr
I wish the post above included which URL shortener caused the problem so others could avoid that one in future marketing efforts. I guess running potential newsletters through spam filter checker tools is a good practice anyway.
I assume this is nothing new and as long as people are using the inbox inspector all should be fine. Excellent piece of coding by the way Inbox Inspector! :-)
If URL shorteners are subject to problems, why wouldn’t any shared URL… for example the URL that y’all use to track link clicks in your emails? Or your own shorteners like EepURL?
Of course, these are confined to your own users to less likely to be outright abused.. but as ReturnPaths article said, the best you can probably do is be REACTIVE to problem sites. Right?
How do you guys manage your redirect domains?
LR, all URLs are susceptible to abuse. As you said, EEPurl is slightly less susceptible by restricting it to internal use only, but that won’t outright prevent it from ever getting blacklisted. The ones that are open to the public are at greater risk, but it’s interesting to see bit.ly taking action. We monitor our own URL reputation on an ongoing basis using a combination of our own internal scanning tools plus services from ReturnPath.
Anyone had similair problems when links include wordpress or blogspot?
That’s actually good to know. I was thinking about using the URL shorteners myself to track clicks as our list starts to build. I’m a fairly new customer so I need to see what you guys offer in that respect as well.
thanks for the info.
Dustin
@ Mr.T i had the same problem and no answer would love some help.
Unfortunately spammers will often ruin many services and cause problems like this. Luckily we see the industry is cracking down tighter on URL shortener abuse and it should pay off.
[...] This post was mentioned on Twitter by MailChimp, benchestnut. benchestnut said: @auto_magical Would love to, but harder to control the link reputation that way. http://bit.ly/hhI8IF [...]
[...] Related:Blog: Hackers and Spammers Prefer Compromised Email AccountsGuide: Email SecurityBlog: URL Shorteners and Blacklists 1 Comment [...]
[...] URL shorteners and blacklists (Mailchimp) - http://blog.mailchimp.com/url-shorteners-and-blacklists/ [...]
[...] getting boring.Case in point: Unfurlr, which uses our email abuse data to tell you what’s hiding behind a shortened URL. Unfurlr was a proof-of-concept to show (to ourselves) that our abuse prevention dataset could be [...]
URL Shorteners and Blacklists In general, URL shorteners are great tools that serve a good purpose, but spammers have abused the heck out of them to disguise their (already blacklisted) links. In response, some spam filters make a habit out of “clicking” all URLs in an email, just to follow redirects from URL shorteners, and analyze the landing page they’d take you to. (tags: deliverability)
[...] links. Link to a special page on your website with information and links to other resources. (Link shorteners are not a workaround.)Make sure the rest of your email doesn’t look like spam, because ISPs [...]
Just got here, just found this info!
I’ve used bit.ly because it is clever and tracks data.
BUT – the enormous machine that Mailchimp is knows lots more from my reading here. HOWEVER, to use the Mailchimp in-house one requires an account – good idea – but can it then be used separately for those quickie emails just out of Gmail?
Actually, the EepUrl link shortener is just limited to internal use. By keeping it a bit more in our control and for internally created or shortened links, we can help maintain it’s reputation. Along the same lines if you’ve ever seen a link and been curious or worried about what’s behind that shortened link, we have a free service to show the target link(s) behind them. It’s called Unfurlr and there’s even a version for iPhones or Android phones as well.