This is, I must say, very clever. In my latest round of inbound spam, I’ve noticed that some senders have begun sending valid links to http://google.com/ in their messages. The technique they’re using is to obfuscate a target URL inside a Google “I’m feeling lucky” query: this means that the domain near the left of the URL really is google.com and doesn’t need to be faked, but it immediately reroutes a click to the spammer’s target, which is difficult to read due to some escaping. This is a cute social engineering attack, riding on Google’s brand and domain name to gull the unwary into clicking.
An obvious variant of this technique would be to seed a link farm with statistically improbable phrases, such that an “I’m feeling lucky” search for some innocuous but unlikely term, e.g. “woozy numbat playing kazoo”, would end up with a spammer’s site advertising something rather less wholesome as the number one hit. A spammer could even extend the use of SIPs to provide a canary trap to validate email addresses:if the inbound search term is “feral pet smells linux”, and we only sent that combination to user@domain.com, then the address must be valid.