To the browser, http://www.mail.lycos.com and address.mail.lycos.com are two different sites. Lycos changes the document.domain to avoid security restrictions but ..
1) They do so only after some browser sniffing that means nothing happens if you identify as Opera.
2) The mail does not have any port number in the address, while the address book has. Thus the scripts still fail the origin check.