Want to piss off your IT department? Are the links not malicious looking enough?

Original Article ↗ Hacker News Discussion ↗

Overall reaction & nostalgia

  • Many commenters find the site genuinely funny, a “chaotic neutral” prank and a spiritual successor to now-defunct shadyurl.
  • People enjoy sharing especially absurd generated links and reminiscing about old internet pranks (e.g., goatse, rickrolling, mis-typed domains like whitehouse.com).
  • Some see it as a great tool for friendly trolling among coworkers or friends, or even for “pen-testing” less tech‑savvy relatives.

Security & abuse concerns

  • Several warn that routine use at work could worsen phishing detection by adding noise to heuristic systems already plagued by false positives, potentially hiding real threats.
  • Others joke about more extreme defenses: blocking all email links, all HTML email, or even email entirely, though this is debated as impractical.
  • A few outline how a malicious operator could later swap safe destinations for phishing pages, or how scanners might mark the domains as malware/SEO‑spam over time.
  • Someone notes VirusTotal already flagged one generated domain as malicious, likely as a heuristic false positive.

Corporate security theater & broken UX

  • Many compare the joke site to real enterprise tools (Microsoft Safe Links, Mimecast, Trend Micro, Proofpoint) that rewrite URLs into opaque, scary strings and sometimes break one‑time links or cause delays/timeouts.
  • Mandatory phishing‑test emails and compliance training often look more suspicious than real scams, teaching users that bizarre domains and threatening language are “normal.”
  • Stories abound of internal surveys, bonuses, and training notices being ignored or reported as phishing because they resemble the very attacks people are trained to avoid.

Workarounds, tweaks & quirks

  • Users describe filters/scripts to auto‑detect test emails or unwrap “safe” URLs, effectively opting out of corporate phishing games.
  • Suggestions for the site include defaulting to HTTPS, offering a “less over the top” mode, reverse lookups of generated URLs, and fixing strict URL validation (e.g., rejecting localhost/test.example).