"never click on links" is impossible advice to follow. Security people often forget that there is a tradeoff between security and functionality. You need to do cost/benefit analysis to decide whether to use a particular feature.
Bitly just posted in the blog comments that they stopped this exploit. That was fast -- yay.
Link to comment: <a href="http://thenextweb.com/insider/2012/10/19/spammers-start-using-short-gov-urls-to-trick-their-victims/#comment-687435173" rel="nofollow">http://thenextweb.com/insider/2012/10/19/spammers-start-usin...</a>
This is a problem with the .gov sites. Forget the shortening issue; that any site would happily redirect anything is nuts. I get they're doing it for tracking purposes, in which case, would it be that hard to whitelist the redirect URLs?
This was also a much used trick: <a href="http://news.ycombinator.com@1249739877" rel="nofollow">http://news.ycombinator.com@1249739877</a>
Although most browsers have implemented a warning of some sort it can still hoax spam-filters that use a regexp pattern which doesn't account for this type of behaviour.
Trustworthy and Automatic (for the link shortening) do not combine well.<p>At least the bit.ly service means that the traffic can be gathered and analysed (and presumably those links disabled) to get data about spam clicks.
The great thing about these URL shorteners is the companies seem to be very proactive when dealing with spam and malware. They don't want to be associated with this crap so naturally they block it when they find it.