An open letter has been published instructing URL shortening websites and providers that CAPTCHA implementation can minimise spam abuse.

Daniel Axsäter, CEO of CronLab, pointed to instances where research showed that volume spam containing shortened URLs was on the rise. The recent Symantec Hosted Services MessageLabs Intelligence Report for July showed that a website visit is generated for every 74,000 spam emails containing a shortened URL link, and that the most frequently visited shortened links from spam received more than 63,000 website visits.

Axsäter said that the addition of a CAPTCHA can reduce the use of URL shortening services by automated spambots. He said that the largest URL shortening engines do not use any countermeasures to fight spam and most of the ones who do simply use blacklists that are hard to keep up-to-date.

He said: “We hereby encourage all URL shortening engines to implement a CAPTCHA when generating a new URL. We realise that this will make automatic scripting harder, which is exactly the point. For serious users answering a CAPTCHA is not an issue and this can easily be implemented in the API for those engines providing this.

“We strongly believe that whilst this may not decrease the amount of spam sent, it will simplify detection of spam, both for engines (which can handle this reasonably well already) and more importantly, for end-users (who cannot reasonably be expected to handle this). Both bit.ly and tinyurl.com have preview-services, but these require activation on the respective websites and cookies and installation of plug-ins respectively. This isn't good enough for the average user who simply wants safe emails in their email reader.”

Talking to SC Magazine, Axsäter said that what is happening now is that it is easy to produce a shortened link and the effort has been made to make it easy, and those who have done this have done a great job.

“It is easy for humans, but also for spambots and malicious users. It is hard to keep blacklists up-to-date but spammers add new IP numbers,” he said.

“If a user gets a link that says go to Canadian Pharmacy they will probably not click on it, but if it has a bit.ly address it gives the user more security and that trust diminishes over time.”

He admitted that this action would not lower global spam levels, but it would see the numbers of spammers uploading spam via shortened URLs reduced. He also said that the CAPTCHA technology is simple to add and as captcha.net was acquired by Google, there is the capability to add it to many sites.