IE has a new security flaw which will be a major boon to spammers and frauds. This flaw allows spoofing of URLs via the http://[email protected] nomenclature. For example, a fraudulent spammer could well direct victims to[email protected], but have it show up as (of course, the fraudulent webpage has to be convincing enough to fool victims into believing they are actually at PayPal!). This works because by including a 0x01 character after the "@" character, IE hides the real location of the page!

To see it in action, fire up IE and check out this demonstration.

Source: Simon Willison