MessageLabs is reporting that use of URL shorteners in spam has exploded, with more than 2% of all spam now containing shortened URLs. The technique is reported to be heavily used in spam sent by the Donbot botnet.
One prolific user of this technique is a spammer sending get-rich-quick scheme advertisements. The shortened URLs redirect to a handful of sites including thebusinessnews.org, where the visitor is greeted by a fake newspaper article extolling the virtues of online money-making schemes. Clicking on any link in the article takes you to yoursecureorder.com, where there is a sign-up form for a get-rich-quick scheme. yoursecureorder.com is privately registered, so it's a little difficult to learn much about it. However, the structure of the URL suggests that it may be some kind of affiliate marketing platform, in which case the spammer may be an affiliate who's trying to earn money by using spam to steer suckers to the signup form.
The spammer is using a wide range of URL shortening services, including hurl.ws, tinyurl.com, kl.am, is.gd, tr.im, sturly.com, aafter.us, bit.ly, urlink.us and o.ly. Several of the services have already responded to the issue. Most of the shortened URLs created at hurl.ws, for example, have already been disabled, and the spammers have begun putting the full name of their domains in their messages instead.
URL shortening services are a tempting target for spammers. Recognizing 'rogue' URLs in a message is an effective spam-filtering technique, so spammers are eager to make use of URLs at domains with a good reputation. For example, URLs at Yahoo! such as Yahoo! Groups pages and profile pages are currently heavily used for this purpose, the spammers having apparently broken whatever mechanisms Yahoo! has in place to prevent automated signups. Using URL shorteners is an obvious next step, and analysis of the messages suggests that the spammers are now able to generate all the shortened URLs they want at a wide variety of services, probably by an automated process (URLs at hurl.ws, for example, appear to be sequential).
Of course, it's almost as easy for the services to disable the spammy URLs. After all, the service knows where each short URL is pointing and can quickly kill any that point to a known spam site. This looks like a technique with a short half-life. Nevertheless, it's a wake-up call to the shorteners, letting them know that they're now on the front lines of the spam war.
Maybe this is another argument for rev=canonical.