IE has a new security flaw which will be a major boon to spammers and frauds. This flaw allows spoofing of URLs via the http://[email protected] nomenclature. For example, a fraudulent spammer could well direct victims to http://wwww.paypal.com&sessionid%[email protected], but have it show up as http://www.paypal.com&sessionid%123456789 (of course, the fraudulent webpage has to be convincing enough to fool victims into believing they are actually at PayPal!). This works because by including a 0x01 character after the "@" character, IE hides the real location of the page!
To see it in action, fire up IE and check out this demonstration.
Source: Simon Willison