URL Shorteners¶
Under URL Shorteners, the list of known URL shortener services is managed. nmg automatically resolves links from these services in mail bodies and checks the actual destination URL against phishing feeds and RBLs.
Why URL Shorteners Are Dangerous¶
Attackers use services like bit.ly, t.co, or tinyurl.com to obfuscate the actual phishing URL. nmg follows the redirect chain and checks the final URL — not the shortener link itself.
Table¶
| Column | Description |
|---|---|
| Hostname | Domain of the shortener service (e.g. bit.ly, t.co, ow.ly) |
| Built-in | System-provided entry — can be disabled but not deleted |
| Description | Optional note about the service |
| Active | Enable/disable resolution for this shortener |
Adding a Shortener¶
| Field | Description |
|---|---|
| Hostname | Domain of the shortener service (without https://, domain only) |
| Description | Optional free text |
| Active | Activate immediately |
Pre-installed Shorteners (Selection)¶
bit.ly · t.co · tinyurl.com · ow.ly · goo.gl · short.link · rb.gy · cutt.ly · rebrand.ly · tiny.cc · is.gd · buff.ly
Resolution Behaviour¶
nmg follows HTTP redirects to the final URL (or up to a configured maximum number of hops). The resolved URL is:
- Checked against active phishing feeds
- Included in the sandbox report (full redirect chain visible)
- Used for IOC extraction (the destination domain is stored as a URL IOC if the mail is reported as spam)
Performance
URL resolution happens synchronously during mail scanning (sandbox phase). Very slow or unreachable shortener destinations can increase sandbox runtime. Problematic shorteners can be individually disabled.