This month, MessageLabs Intelligence uncovered evidence of spammers establishing their own fake URL-shortening
services for the first time. Shortened links created on these fake URL-shortening sites are not included directly in
spam messages; instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.
Rather than leading directly to the spammer’s final Web site, these links actually point to a shortened URL on the
spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s final Web site.
MessageLabs Intelligence research has identified several similar fake URL-shortening Web sites associated with the
same spammers, each behaving in the same way. All the sites use .ru (Russian) domain names, and many are hosted
in Russia and Ukraine.
To make things more interesting, the domains were registered several months before they were used, potentially as a
means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an
indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.
Russia, Ukraine - "round up the usual suspects" (c) Casablanca