A link shortener is a simple way for malicious or spammy email senders to cloak their malicious or spammy link in something which is not yet on a block list.
So what we find is that as new ones come into the market they are eagerly adopted and we start to see evil links. From our point of view the earlier we put in place a wholesale block the better, because otherwise they may become "too big to block" like bit.ly etc... Although even these are blocked by gmail from time to time (for example).
If security software can read email enough to observe the shortened URL, couldn’t it just see what it expands to and then judge the target URL? Link shorteners don’t seem to have any obvious CAPTCHAs.
So what we find is that as new ones come into the market they are eagerly adopted and we start to see evil links. From our point of view the earlier we put in place a wholesale block the better, because otherwise they may become "too big to block" like bit.ly etc... Although even these are blocked by gmail from time to time (for example).