What is UTM in links, how to share them correctly and where do hidden links from emails lead?

School
, ,
1

UTM

I often see people sharing their Avito ads in messaging apps or emails with friends, like this example:

Hi! Selling a bicycle, discount for friends
https://www.avito.ru/samarskaya_oblast_mirnyy/velosipedy/shosseynyy_velosiped_bxt_karbon_shimano_105_4113625812?utm_campaign=native&utm_medium=item_page_android&utm_source=soc_sharing

UTM tags are used to track website visitors. In this case, roughly:

  • native — sent by the ad author
  • item_page_android — source device is Android
  • soc_sharing — the “Share” button from the app was used to generate the link

How should it be done? Cut off everything starting from the question mark. Here’s the clean link:

https://www.avito.ru/samarskaya_oblast_mirnyy/velosipedy/shosseynyy_velosiped_bxt_karbon_shimano_105_4113625812

What’s wrong with these tags? Your contacts shouldn’t click on tracked links. Although this is already scary, read on — it gets worse.

A person engulfed in flames of anger and disappointment, looking at a computer screen showing a screaming person. (AI-generated caption)
A person engulfed in flames of anger and disappointment, looking at a computer screen showing a screaming person. (AI-generated caption)1344×768 161 KB

Redirects and Short Links

For safety, always check where short links lead.

Recently, I was looking for a password storage service to deploy on my own server. I stumbled upon Bearpass. I received an email with instructions, and when I hovered over the links (on mobile, you wouldn’t even notice this!), I realized they were tracked via a third-party service:

A screen displays a message from BearPass, inviting users to register for their password manager and complete a few simple steps to set up a free copy of their passwords. (AI-generated caption)
A screen displays a message from BearPass, inviting users to register for their password manager and complete a few simple steps to set up a free copy of their passwords. (AI-generated caption)915×1048 191 KB

Even the link to their homepage is tracked. This is quite unattractive. They track every click. Website owners use this information in different ways. Some use it to display ads, while others redirect users to pages where malware can be downloaded.

Don’t click on such links. You can safely expand them using online services, for example:

The link from the example contains a base64 hash that can be decoded into a human-readable URL.

https://us4-usndr.com/ru/tr/?uid=NTEwMjkyOQ~~&hash=UbsDJ9aXeZC4UVIn6P5PLeuuqmFoSrLOMm0ais9zybx8vPPNAt_5-FTQnH_6vg2jAjfjnJ7LOM71nb3Zh7bu9wO_DLHXKCk9yY_HZN6zB_rTulCmjTjdNrqOmg5Yu83ELhvM2remNqLTulCmjTjdNi58oL3tg7gO-obsLVZvT1rXnaXjHImc-GvSRzIgHEWe8tlEOjlMRFawyFLa2eFPF-lBNz0subCQd2h4q3kKVfk~

A web page from the Redirect Detective service displays information about URL redirection, showing temporary redirection and final destination. (AI-generated caption)
A web page from the Redirect Detective service displays information about URL redirection, showing temporary redirection and final destination. (AI-generated caption)915×1020 74.7 KB

Final destination:

https://bearpass.ru/?utm_medium=email&utm_source=Unisender

From this, we can see that the site uses the Unisender service, and interestingly positions itself as a domestic alternative (as of 2025-08-11T20:00:00Z). Nothing criminal was found in this link, but I don’t like this approach. At the very least, recipients should be warned that their clicks will be tracked and used for marketing purposes.