On Wed, Feb 21, 2018 at 1:38 AM, @lbutlr <krem...@kreme.com> wrote: > On 2018-02-20 (22:10 MST), Reindl Harald <h.rei...@thelounge.net> wrote: >> >> you may hit confirmation-urls (both ham and spam), trigger actions, trigger >> *one-time* urls which are invalid for the user after a dumb bot used them >> not talking about that it would be illegal in many countries in case of >> private ham-mails > > As I suspected, it is possible to get the goo.gl target URL without loading > the site, though using curl is probably not realistic in this specific case. > > $ curl -s "http://goo.gl/ylUAd" | grep -o "http[^\"]*" > http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135 > > $ curl -s "http://bit.ly/savecastle" | grep -o "http[^\"]*" > http://community.livejournal.com/castle_tv/28872.html > > Doesn't work with t.co, but that is not surprising since twitter uses that > specifically to hide URLs, considering them all their property that must go > through their servers.
This is what DecodeShortURLs is for https://github.com/smfreegard/DecodeShortURLs