Summary
Confusing HTML links in spam emails serve a multifaceted purpose: to deceive users and evade spam filters. These links utilize techniques such as URL shortening, redirects, HTML obfuscation, and masking to hide the true destination, making the link appear legitimate and trustworthy. This obfuscation aims to confuse both humans and less sophisticated spam filters, increasing the likelihood of clicks and inbox delivery. Furthermore, these links often incorporate tracking mechanisms, sometimes embedding personalized data to monitor user behavior.
Key findings
- Dual Deception: Confusing links are designed to deceive both human recipients and spam filters.
- Obfuscation Techniques: Spammers employ various methods, including URL shortening, redirects, and HTML masking, to hide the true destination URL.
- Filter Evasion: Complex HTML structures and obfuscation techniques are used to bypass spam filter detection.
- Tracking Implementation: Obfuscated links often include tracking mechanisms to monitor user interaction and behavior.
- Brand Spoofing: Techniques like using trusted brands and unicode domains make the links appear legitimate, particularly on mobile devices.
Key considerations
- URL Verification: Always verify the destination URL before clicking, especially in unsolicited emails, by hovering over the link (when possible) or using URL scanning tools.
- Mobile Caution: Exercise extra caution when clicking links on mobile devices, as it's often harder to preview the destination.
- Sender Authenticity: Carefully examine the sender's address and email content for irregularities or inconsistencies.
- Security Software: Utilize security software with anti-phishing and anti-malware capabilities to protect against malicious links.
- Personal Data: Be aware that clicking on obfuscated links may expose your personal data and online behavior to tracking.
What email marketers say
7 marketer opinions
Confusing HTML links in spam emails serve multiple purposes, primarily centered around deception and evasion. They are used to hide the true destination URL from both recipients and spam filters. This is achieved through techniques such as URL shorteners, redirects, cloaking, masking, and unusual formatting. The aim is to make the link appear legitimate or unrecognizable to automated systems, tricking users into clicking while also bypassing spam filters.
Key opinions
- URL Obfuscation: Spammers use URL shorteners, redirects, and other methods to hide the actual destination of the link.
- Spam Filter Evasion: Confusing HTML links are designed to bypass spam filters by making the link look legitimate or unrecognizable.
- User Deception: Techniques like cloaking, masking, and using trusted brands are employed to trick users into clicking on malicious links.
- Mobile Vulnerability: Deceptive links are especially effective on mobile devices where users cannot easily hover over the link to preview the destination.
- Bypass Detection: Obfuscation in URLs is to evade detection to prevent people from recognizing that it is malicious.
Key considerations
- URL Preview: Always preview URLs before clicking, especially in unsolicited emails.
- Mobile Awareness: Be extra cautious when clicking links on mobile devices due to the difficulty in previewing URLs.
- Brand Trust Verification: Verify the legitimacy of the sender, even if the link appears to be from a trusted brand.
- Filter Awareness: Understand that spam filters are not foolproof and may be bypassed by sophisticated obfuscation techniques.
- Security Software: Consider security software to provide another layer of protection.
Marketer view
Email marketer from Mailjet shares that confusing HTML links are used to obfuscate the actual destination URL from users and spam filters. This makes it harder to identify the link as malicious. They often use redirects or URL shorteners to achieve this.
26 Oct 2022 - Mailjet
Marketer view
Email marketer from Norton explains that the reason that spam emails use cloaking and redirects is to hide where you are actually going, and to get around spam filters. The email will still look like a legitimate link that you trust.
30 Jul 2022 - Norton
What the experts say
3 expert opinions
Confusing HTML links in spam emails serve several purposes. Primarily, they aim to confuse humans and basic spam filters by using complex code. Additionally, these links are employed for tracking purposes, sometimes incorporating personally identifiable information like email addresses. Ultimately, the objective is to evade detection by both users and filters to increase the likelihood of the email reaching the inbox and the link being clicked.
Key opinions
- Confusion Tactic: Confusing HTML links aim to disorient both humans and basic spam filters lacking sophisticated HTML parsing capabilities.
- Tracking Mechanism: Obfuscated links enable spammers to track users who click on the links, sometimes embedding personalized data for enhanced tracking.
- Detection Avoidance: The use of confusing HTML is a strategy to bypass detection by users and spam filters, increasing deliverability and click-through rates.
Key considerations
- HTML Interpretation: Be wary of emails with unusual or complex HTML structures, as they may be attempts at obfuscation.
- Privacy Implications: Consider the potential privacy implications of clicking on obfuscated links, as they may be used to track your online behavior.
- Filter Limitations: Recognize that spam filters are not always effective at detecting sophisticated obfuscation techniques and exercise caution.
Expert view
Expert from Email Geeks explains that the confusing HTML link with the Microsoft domain is there to confuse humans (and, perhaps, really crappy spam filters) that don’t talk HTML. The `target=“blank”` attribute makes them think the spamware may be a bit vague on it too.
24 Jun 2024 - Email Geeks
Expert view
Expert from Word to the Wise Team explains that confusing HTML links are used to avoid detection by users and spam filters, making it more likely that the user will click the link and that the email will be delivered to the inbox.
14 Nov 2023 - Word to the Wise
What the documentation says
3 technical articles
Confusing HTML links in spam emails are primarily used to disguise the actual destination URL, making it appear legitimate and trustworthy. This is achieved through various techniques, including URL shortening, redirects, and HTML formatting. The ultimate goal is to deceive users into clicking on these links, leading them to malicious websites while bypassing their suspicion.
Key findings
- URL Disguise: Spammers use various methods to hide the true destination of a link, making it difficult to identify malicious intent.
- Deception Technique: The primary aim is to deceive users by making the link appear safe and trustworthy, increasing the likelihood of a click.
- Phishing Tactic: Confusing links are a common tactic in phishing and spam campaigns to lead users to malicious websites.
Key considerations
- Verify URLs: Always verify the destination URL before clicking on any link, especially in unsolicited emails.
- Hover Preview: Hover over links to preview the destination URL, but be aware that this can also be spoofed.
- Trust No One: Be cautious of emails from unknown senders or with suspicious content, even if they appear to be from legitimate sources.
Technical article
Documentation from Microsoft explains that attackers use various techniques to hide the true URL of a link, including URL shortening, redirects, and HTML formatting. This is done to deceive users into clicking on malicious links by making them appear safe.
3 Jul 2023 - Microsoft Support
Technical article
Documentation from Cisco explains that one tactic used by spammers is to make the URL look trustworthy to prevent recipients from recognizing it as malicious and to get them to click on the link. This is called masking and is often performed using confusing HTML.
9 Jul 2023 - Cisco
Are Bitly links bad for email deliverability?
Are link shorteners bad for email marketing?
Are URL shorteners like bit.ly bad for email deliverability?
Can a competitor damage my domain reputation by sending spam with links to my site?
Can a competitor damage my domain reputation by sending spam with my URL?
How are spammers getting content for their spam emails?
