My guess is that Twitter uses the Google SafeBrowsing API, in addition to other blacklist APIs.
http://code.google.com/apis/safebrowsing/ Google SafeBrowsing is basically two databases, which you can host locally, and are constantly updated by Google. One database consists of potential phishing addresses and the other one contains potential malware addresses. You do lookups against these databases. You don't visit the actual destination site. The same applies to other blacklist databases. That's why there is no need to check for a tco user agent or IP address. Tco never visits or crawls your site. It simply redirects the user's browser to your site.