[cillian64]

If security software can read email enough to observe the shortened URL, couldn’t it just see what it expands to and then judge the target URL? Link shorteners don’t seem to have any obvious CAPTCHAs.

[scandox]

We have about 500ms to make our assessment so we wouldn't follow a link in realtime and depend on it resolving and redirecting etc.

Instead we expand them later and visit and scan them after the fact. But at that point the email is often already delivered.

But bottom line url shorteners are so abused as to be a de facto sign of spam.