In defense of URL Shorteners

profile picture of Ruffy Ruffy
FLOSS Flink URL Shortener Project flink.rtrace.io flink.is

Table of Contents

  1. 1. Introduction
  2. 2. What an URL Shortener actually does
  3. 3. Why URL Shorteners are blamed anyway
    1. 3.1. Abuse Reports
  4. 4. Why taking down URL Shorteners is counterproductive
  5. 5. Closing Thoughts

Introduction

I’m the author of Flink, a free and open-source (FLOSS) URL Shortener with a ton of handy features. I operate two of the main public instances: flink.is and flink.rtrace.io. Every day visitors create anywhere between 20 and 80 shortened links across both instances. Most visitors use Flink exactly as intended. To make long URLs easier to share, generate QR codes, or create short, memorable link IDs (or “slugs”). But as with any public-facing service, a small fraction of users inevitably try to abuse it. In the world of URL Shorteners, that usually means attempting to disguise phishing sites or spam campaigns behind innocent-looking short links. When this happens, URL Shortener operators often find themselves unfairly blamed by hosting providers or even domain registrars. This post aims to explain, technically and clearly, why that blame is misplaced, and how responsible shorteners prevent abuse.

What an URL Shortener actually does

At its core, a URL Shortener performs a simple function: it takes a long URL and turns it into a shorter, more memorable one.

For example, the URL of this blog post is: https://blog.rtrace.io/posts/in-defense-of-url-shorteners. That’s 57 characters long. Imagine you’re on the phone with a friend and want to share this link verbally. Reading the entire address isn’t exactly convenient. Your friend would have to type it into their browser, character by character - not particularly pleasant either, and prone to errors. Using a URL Shortener like Flink, you can reduce it to something like: flink.is/shortener. That’s only 18 characters. If that’s still too long for your liking, you can make it even shorter, for example: flink.is/us. Now the short link ID (or “slug”) is just two characters, making the total URL only 12 characters long. Much easier to share, and a lot easier to remember.

When the person on the other end enters this short link into their browser, the URL Shortener looks up the corresponding long URL and redirects them there. Under the hood, the shortener returns an HTTP 301 status code and sets the Location header to the original long URL. When a browser receives a 301 response, it immediately requests the address in the Location header. This happens almost instantly, so to the user it feels like they went straight to the final website without any delay.

HTTP GET /u

-> 301 Moved Permanently
Location: https://blog.rtrace.io/posts/in-defense-of-url-shorteners

That’s it. Note, that there is no HTML from the target site served by the URL Shortener. There’s no content mirrored or hosted. It’s just the HTTP redirect, the same mechanism you encounter when a website changes its URL or enforces HTTPS. At no point does the URL Shortener server “host” or even “touch” the target content.

Why URL Shorteners are blamed anyway

Many automated abuse detection systems (and some human reviewers) see a short URL being used in a phishing email and assume the shortener is part of the scam. Further I’m sure that a lot of the authors of abuse reports, have no deeper understanding of how an URL Shortener works, when accusing them of being part of fraudulent activities. Abuse reports then get sent to the shortener’s hosting provider or domain registrar with wording like: “Your site hosts phishing content at flink.is/abcd123”, typically followed by a request to takedown/suspend the service.

From a network or hosting perspective, though, there’s a clear technical distinction:

  • Hosting means serving the malicious HTML/JavaScript from your servers.
  • Redirecting means telling the browser to fetch it somewhere else.

Suspending the shortener domain doesn’t stop the phishing. The malicious domain continues to exist - and the attacker just moves on to another shortener or creates their own. To put it another way: blaming a URL Shortener for a phishing site is like blaming a street sign for leading toward a bad neighborhood.

Abuse Reports

Here’s an example for Flink being accused by a scamhunter company:

I am XYZ, a Cyber Security Analyst with <company> Inc., duly authorized to represent <company>. 
As part of our mandate, we are tasked with monitoring, validating, and protecting <company> 
online assets against unauthorized use or potential misuse across various digital platforms.

Reference:
Reported URL: https://flink.rtrace.io/np13
Domain Name: rtrace.io
IP address: 152.53.66.229
Creation Date: 2019-07-13
Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA
Host: netcup GmbH DE

We are writing to inform you that your website has been flagged for 
hosting content that may be associated with malicious or deceptive activity impersonating <company> services. 
This concern has already been reported to both the hosting provider 
and the domain registrar (Ascio Technologies) for further review and verification.

As part of due process, we are contacting you directly to provide an opportunity for clarification 
or corrective action. We kindly request confirmation and supporting details 
if your website or services are legitimately affiliated with Vodafone Idea. 
Otherwise, we ask that you remove or disable any content referencing <company> 
or its related materials to avoid further escalation. We trust this matter can be resolved amicably 
and appreciate your cooperation in maintaining a safe and transparent online environment.

Please confirm receipt of this notice.

Another abuse report originating from a polish CERT team:

We have received an abuse report concerning your product  RS 1000 G11 12M VIE today. 
Additional information can be found at the end of this message. 
Please inspect the reported abuse and inform us within 48 hours what the cause of the report is.
If you do not reply or if further abuse reports should arrive, we will deactivate your product, 
to prevent further damages. Please note that we have to follow up with every abuse message for good measure. 
If the reason for the report is not understandable or if you are not the initiator, we still need a response from you.

You can find the abuse report at the end of this message.


========== Abusemeldung / Abuse report ==========
time.source source.ip protocol.transport source.port protocol.application source.fqdn source.local_hostname source.local_ip source.url source.asn source.geolocation.cc source.geolocation.city classification.taxonomy classification.type classification.identifier destination.ip destination.port destination.fqdn destination.url feed event_description.text event_description.url malware.name extra comment additional_field_freetext feed.documentation version: 1.2
2025-05-08T01:49:39+02 152.53.67.17 443 http flink.is https://flink.is/XPGL 197540 AT fraud phishing phishing n6.cert.pl https://n6.cert.pl/

Why taking down URL Shorteners is counterproductive

Recently, I compiled a list of link shortener services to help Flink’s spam protection mechanism prevent already-shortened URLs from being shortened again. A quick search on DuckDuckGo revealed over 200 independent URL Shortener services—ranging from commercial platforms to private ones, including various FLOSS and self-hostable implementations. The internet is saturated with URL Shorteners, with the total number likely reaching well into the thousands. This abundance gives spammers and scammers an enormous pool of options to exploit for their phishing campaigns.

Even if one instance gets suspended, the attacker’s target site remains online. In practice this means:

  • Attackers just pick another shortener, and send out their scam campaigns using those
  • Legitimate users of URL Shortener, will lose previously shorted URLs causing HTTP 404s

The smart approach is to take down or block the destination - the domain that hosts the malicious content. URL Shorteners can actually help identify those targets, since they aggregate where attackers/scammers are trying to redirect traffic to. URL Shorteners with good moderation practices in place, can and will report the target scammers websites to their ISPs, Hosters and/or Domain Registrars.

URL Shorteners are a neutral tool, like email or file sharing. They can be used for good - or misused by bad actors. The solution isn’t to ban the tool, but to build responsible implementations and educate those responding to abuse. If hosting providers and domain registrars understood the underlying mechanics, they’d direct their efforts where it matters: at the real origin of the scam.

Closing Thoughts

URL Shorteners are part of the fabric of the web - whether we like it or not. They make links manageable, measurable, and shareable - and yes, sometimes they get abused. But taking them down isn’t a solution. It’s like addressing the symptoms rather than eliminating the root cause.

If you’d like to learn more about Flink or contribute to its development, visit the project page:
👉 gitlab.com/rtraceio/web/flink
Flink Logo


FLOSS Flink URL Shortener Project flink.rtrace.io flink.is

Thank you for reading

I hope you enjoyed reading this article. Maybe it was helpful to you, maybe it was not? Maybe you learned something new? You disliked the article? I'd be glad to hear your opinions. Your feedback is much appreciated and very welcome. Either (anonymously) write a comment in the section below, or send a mail to blog@rtrace.io

Comments 💬