Which security sites are good for checking suspect URLs before clicking on them?

Topic

New Reply

I am not sure if this the correct place for this topic; if there is another forum that is more appropriate, please moderators, move it there. Thanks.

Today I received an email allegedly from Medicare. It looked perfectly the same as other such emails, except there was something slightly unusual in the text, where it mentioned how much my monthly  Drug Medicare insurance costs this year and how much it will cost next. According to the email, it twill cost a few more dollars per month. This was followed by a large green button to click on in order to go and see what alternative insurers would be charging and, if I saw it to my advantage, change to a different plan during this Open Enrollment Period that, as usual is taking place in the last part of the year. Nothing wrong with any of that, but when I hovered the cursor over the button, the URL was “lnks.gd/l/followed by a long helping of alphabet soup.

So I entered the “lnks.gd” part in Google search and also, later, in DuckDuckGo  and got several hits that  were links to several (allegedly) security places that would look into the domain for possible infected sites attached to it. I tried “Norton” and got an all clear. Great!?

Then I found, searching with the keyword “phishing”, the following link:

https://www.makeuseof.com/tag/4-quick-sites-that-let-you-check-if-links-are-safe/

which I think is legitimate, and it has a list of different services it recommends. I tried the Google one, and it also gave the domain the “all clear”.

Now, the question: which site (not necessarily listed there) is a good one to check a domain when one gets an even remotely suspicious-looking email with URL links that say “click me”?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Replies

Off topic. Not directly addressing your questions, but …
1 – Domain root gd is Grenada. Why would a company registered there have an interest in US drug premiums? Maybe innocent.
2 – For Medicare information, I would either look at the Medicare & You book, or start drilling down at https://www.medicare.gov/ . Research is free,  one need not register.

1 user thanked author for this post.

OscarCP

Reply | Quote

You could try:

https://safeweb.norton.com/

Check if a Website is Malicious/Scam or Safe/Legit | URLVoid

https://cleantalk.org/blacklists

Searching for information anything Medicare relate:

Medicare.gov

1 user thanked author for this post.

OscarCP

Reply | Quote

? says:

have you run the header through a spam email header reader?

https://www.iptrackeronline.com/email-header-analysis.php

https://mxtoolbox.com/EmailHeaders.aspx

https://mailheader.org/

after you get the real ip address (the starred one on iptrackeronline) run the number through speedguides ip locator

https://www.speedguide.net/ip/

1 user thanked author for this post.

OscarCP

Reply | Quote

?

Thanks for the reminder.

I forgot about SpamCop

I haven’t had any spam (none worth reporting) in over a year. Prevention takes a while once your E-addy is out there, it’s worth the effort though.

If you copy your email headers you can enter them using the Report TAB at SpamCop. You don’t have to be a member to have the headers parsed to find the originating source, then click “Report Spam” and off goes an email to the domain as anon. I never sent a report to any ISP located in China. I think you can report 10 or so for free, but parsing is unlimited (iirc). I’m a member and haven’t used them in a while. Actually forgot about them once my spam slowed to a crawl, to now almost none. 1-3 a month, and those are harmless as they go to my throw-away address.

Reply | Quote

Thanks, Bluetrix.

Same as you, I don’t get much spam, only from a few companies I have had business with more or less recently, and those I can unsubscribe, although I find more satisfying to trash them. One curious case is Intel: some years ago, I bought a couple of pricey software compilers from them and, ever since, they have been mailing me a sort of newsletter on IT developments they believe that such an up-and-coming executive as myself cannot possibly live without. No idea where they got their amusing idea of my actual career and position; they certainly are not discouraged by my complete lack of response. But I get a kick out of it, every time I receive one of those.

Such emails do not worry me, because they are few and far apart and I know they are 100% legitimate commercial spam. I always trash them unread, anyway.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I just submitted the headers & body of the email medicare@subscriptions.medicare.gov sent me yesterday & today.

SpamCop replied with —

Tracking message source: 199.10.31.237:

Routing details for 199.10.31.237
[refresh/show] Cached whois for 199.10.31.237 : networking@carbon60.com
Using abuse net on networking@carbon60.com
abuse net carbon60.com = networking@carbon60.com
Using best contacts networking@carbon60.com
Message is 5 hours old
199.10.31.237 not listed in cbl.abuseat.org
199.10.31.237 not listed in dnsbl.sorbs.net
199.10.31.237 not listed in accredit.habeas.com
199.10.31.237 not listed in plus.bondedsender.org
199.10.31.237 not listed in iadb.isipp.com

Finding links in message body

no links found

If reported today, reports would be sent to:

Re: 199.10.31.237 (Administrator of network where email originates)

networking@carbon60.com

 

That looks like replies I’ve received in the past from spammers’ emails.  I chatted with a Medicare “Alexis” who says Medicare sends email from medicare@subscriptions.medicare.gov and medicareaccount@subscriptions.medicare.gov but didn’t know how to respond to why the Admin where the email originated was carbon60.com and that I “unfortunately” cannot access the same information by going to MyMedicare.gov on my own.  This is truly silly.

Reply | Quote

OscarCP wrote:

Today I received an email allegedly from Medicare. It looked perfectly the same as other such emails, except there was something slightly unusual in the text, where it mentioned how much my monthly  Drug Medicare insurance costs this year and how much it will cost next. According to the email, it twill cost a few more dollars per month. This was followed by a large green button to click on in order to go and see what alternative insurers would be charging and, if I saw it to my advantage, change to a different plan during this Open Enrollment Period that, as usual is taking place in the last part of the year. Nothing wrong with any of that, but when I hovered the cursor over the button, the URL was “lnks.gd/l/followed by a long helping of alphabet soup.

It’s Open Enrollment time and you must have a Medicare account. I got the same email with the same type of link only it was to my Medicare account to start choosing a different Pt D plan since mine is going through the roof.

If your leery, just go to Medicare’s site.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

1 user thanked author for this post.

OscarCP

Reply | Quote

OK ofoff topic but how much> GF has this.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

OK ofoff topic but how much> GF has this.

How much what, Wavy??? Not sure I understand your question.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

@oscarcp I suggest you look back to your earlier topic on whether emails are spoofed or genuine:
https://www.askwoody.com/forums/topic/an-intriguing-perhaps-faked-and-dangerous-email-from-apple/

It really would make emails a fraction more secure if senders such as government agencies/departments, businesses and NGO’s took the bother to provide digitally signed emails in the first place. Then you would be the assurance that a) the email address that sent the email wasn’t spoofed, and b) that the contents hadn’t been altered mid-stream (as occurs in some invoice payment scams). It puts me right off receiving emails from such organisations that don’t take the receiver’s security seriously!

Reply | Quote

Kirsty,

Thanks, good thinking. I forgot about that early incident, back in March, and that thread I started about it, although in that case the email was obviously a fake most likely sent with malicious intent. Some good ideas there, too.

Fortunately for me, so far there are just a few organizations that, like Medicare, send me regular emails and newsletters, so, if in doubt, I can always check by logging into my accounts with them. Those of unusual origin, I can check with some of these online verification sites, or trash them right away, depending on what they look like in the preview panel. I hope the advice given here and in that other thread can be useful not just to me, but to others as well, as many of us are recipients, now and then, of dubious emails: emails that, somehow, don’t seem right.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Kirsty

Reply | Quote

Take a look at Surbl, it has an in-house app, or you can put together a small web app that will act as a client of Surbl.

Martin

Reply | Quote

I suspect many would consider SURBL to be outside the day-to-day realm of most “average” users:

How
Using SURBLs requires a mail filter that can extract web sites from message bodies and check them against the lists. Many applications support SURBLs, including SpamAssassin and filters for most major MTAs including sendmail, postfix, qmail, exim, Exchange, qpsmtpd and others.

Reply | Quote

I sent my email, headers et al, to SpamCop and got back:

Routing details for 199.10.31.237
[refresh/show] Cached whois for 199.10.31.237 : networking@carbon60.com
Using abuse net on networking@carbon60.com
abuse net carbon60.com = networking@carbon60.com
Using best contacts networking@carbon60.com
Message is 5 hours old
199.10.31.237 not listed in cbl.abuseat.org
199.10.31.237 not listed in dnsbl.sorbs.net
199.10.31.237 not listed in accredit.habeas.com
199.10.31.237 not listed in plus.bondedsender.org
199.10.31.237 not listed in iadb.isipp.com

If reported today, reports would be sent to:

Re: 199.10.31.237 (Administrator of network where email originates)

networking@carbon60.com

Reply | Quote

Spammers can write anything as the “from address” so do not rely on it.

Does the email look legit?
Does it contain links that point to places outside medicare.gov? If so it may be phishing.
Were you expecting mail from medicare?

cheers, Paul

Reply | Quote