I have written a lengthy explanation here http://www.proudprogrammer.no/web/ppblog.nsf/d6plinks/GANI-A6YFK5.
Very shortly; Prompt the user when he or she attempt to click on a mail link containing a redirect-URL. These URLs uses the at-sign to redirect to other sites. The format is like this:
http:// <user info> @ < the real url>
Traditionally this format has been used to transport username and password to the site, and thus logging into a basic authentication site. However, it is fully up to < the real url> what to do with the <user info>.
In the blog post I reference in the beginning, I show how the URL http://portal.ibmeventconnect.com can be transformed to this: http://portal.ibmeventconnect.com@3277338128
Looks much the same, right? However, it uses the redirect at-sign, and redirects the call to a Norwegian newspaper (www.vg.no) were I have converted www.vg.no's IP address to an integer. All valid URL-stuff, but easy to overlook.
I therefore hope IBM will allow a configurable dialog box to pop up when such links are clicked, to both warn - and possible show where the link would end up.