That syntax has been allowed and used (and still is) for FTP since long before HTTP and the world wide web were a twinkle in Tim Berners-Lee's eye, and isn't much different from that used by telnet back to the dawn of time. It is arguable that the RFC should not be superceded simply to correct a social engineering problem. Microsoft could conceivably otherwise check for such an exploit and disallow it.|
Your comment is also somewhat misleading. Hugo wrote:
The problem with IExplorer was that certain character inside the URL (hidden right after the '@' sign) [it is actually (%01) placed before the '@' sign] causes that explorer doesn't showed the rest or the url, even in the address bar or the body of a mail message That is only part of the problem, it is one of the later wrinkles or enhancements I referenced. I was first involved with phishing in a case where AOL users suffered this semantic attack so as to cough up their account ISERID/Passwords which spammers would then put to one-time use. That was back in 1997 and wasn't the first instance. The wrinkle you speak of was first (mis)used last year SFAIK, perhaps because it may not have been considered necessary by scammers prior to the release of the current IExplorer v. 6.x in which the URL line shows only the accurate address (unless one uses that exploit).
Versions 5.x and earlier did show the entire URL (my example of
did not use that wrinkle as a view of the source code will show, perhaps someone with an unpatched pre v. 6.x can confirm that link behaviour). Particularily as part or all of the link can be obfuscated into octal and/or hex as I first pointed out, most users cannot be expected to parse each URL looking for an instance of '@'. For example the URL of the page I now write on looks like this (to me, YMMV somewhat):
http://www.icannwatch.org/comments.pl? sid=1539&op=Reply&threshold=-1&commentsort=1&mode= nested&tid=34&pid=12927
Eyeball a bunch of those each day (and then double-check to be sure) and you'll never get anything else done. That's assuming that the IExplorer user, which is to generally say newbies and the less technically clued, even knew to search for '@', which they overwhelmingly do not. -g