couldn't they be using this to prevent/detect spam?
edit: the article claims this can't be so because the page only does a HEAD request, though a HEAD request could be useful if you wanted to detect an HTTPS domain with ephemeral pages (which perhaps, could be a good feature in detecting spam domains)
FTA: No. It is not a fitting explanation for spam or phishing prevention. The author claims that these sites rarely use https.
Furthermore they used test URLs containing hypothetical login credentials and showed how skype would get access to these.
The last troubling bit the author points out is that there seemed to be anomalous traffic to URLs shared in a skype conversation, where a microsoft IP seemed to attempt what they call a "replay attack".
> It is not a fitting explanation for spam or phishing prevention.
It is very common for spammers to break into other websites (using simple well known exploit) and create links redirecting to the site hosting the malware. So a site should not be excluded just because it has SSL.
Because "rarely" means "they should just ignore them- no malware hoster would ever use HTTPS, especially not if they ever figured out that Microsoft was only checking HTTP URLs". Also, anyone sending log-in information in a GET request is doing it wrong.
I don't know about Skype but I know other parts of MSFT would frequently try and classify links on whether they had malware, whether they were phishing attempts and so on. Doing this on IM networks was important as they could cause so much distribution of such malware through automated sending of messages.
I would be surprised if Microsoft wasnt doing this as it would leave users at risk.
Also, sending login credentials over HTTP GETs? That's a pretty contrived scenario. The HTTP HEAD might be a red herring - it might just be checking to see whether it redirects somewhere else/whether the URL has already been seen. Perhaps this URL didn't set off the spam/malware machine learning models to initiate a full crawl/human review.
With HEAD you should get Content-type -header, which could be used for detecting malware (ie if the content type points towards an executable). Frankly I'd be more worried about web-services that carry authentication in the URL than Skype checking them out.
I can confirm that HTTP links, not just HTTPS, are visited by a Microsoft IP if you paste them in to Skype. I noticed it happening a couple of weeks ago.
edit: the article claims this can't be so because the page only does a HEAD request, though a HEAD request could be useful if you wanted to detect an HTTPS domain with ephemeral pages (which perhaps, could be a good feature in detecting spam domains)