Most spam is simply advertising. However, a small proportion of messages have a malicious purpose, which can range from simple vandalism through to theft and industrial espionage.

For example, a recent virus made infected PCs send messages to addresses in users' address books. Because the text did not form recognisable words, and because the originator of the emails appeared to be valid users, these mails were not filtered by many types of anti-spam engine.

Infected firms found ordinary emails were delayed because outgoing spam was consuming bandwidth. Consequently some users were unable to work normally, and IT staff spent many hours managing queues on overworked mail servers and antivirus gateways. Rather than using a filter, it seems a bandwidth-limiter that stops users from sending more than a few emails each minute is the only way to prevent such mails clogging the internet. But though this type of vandalism has serious consequences, for many firms a risk analysis would probably show the cost of running an anti-spam gateway is higher than the costs of such incidents.

Spam can also be used to trick people into handing over secrets, such as passwords to online bank accounts. Dubbed as "phishing" emails, these typically direct users to a web site that appears to be one normally used by the recipient - such as a banking site - but is in fact a fake.

Spam can also install software on a victim's PC. The costs of finding and cleaning such installations can be high. Unauthorised software may include keystroke-loggers, which record the user's keystrokes, and can identify passwords.

Another threat is Trojan software, which can provide a back door into computers. Once a Trojan is installed on a PC inside a company's firewall, it provides a springboard from which hackers can place similar software on other systems. Trojans typically provide full remote access to a system.

Finding and removing them is an expert task, particularly when working with servers.

The striking thing is that rather than being difficult to use, Trojans often have a beautifully crafted user interface, making hacking as easy as using a browser. If you have not seen a Trojan, it is worth asking a security expert to demonstrate one.

Spam can be used to deliver any of these payloads, but only if email is not filtered. With filters, email gateways should stop messages that contain executable attachments such as files with.exe at the end of their name. Blocking such attachments is a basic step in managing spam security risks.

Another risk is caused by email clients automatically displaying messages on users' screens. When these messages link to images, the images are typically retrieved from a remote server, which leaves a confirmation of the user's IP address in the server's log. Reports indicate there is a growing risk that such messages will contain a URL linking to an ActiveX applet, which could then be automatically downloaded to read data from the user's disk and post it back to a database.

Clearly, allowing URLs to be embedded in email means there is a risk that malicious software could be installed on users' PCs. While many firms might not want to remove all HTML from email messages, it is worth removing URLs so email client software such as Outlook cannot follow them automatically.