Do we really need to worry about spam any more?

We’ve all had a lot of fun laughing at Bill Gates’ prediction back in 2004 that spam would be a dead issue within two years. Far from reducing, the level of spam has risen to new levels, often accounting for more than 90% of all internet mail traffic.

But is it possible that Bill will be proved right eventually, with only his timescales slightly awry?

I don’t know about you, but my spam filters work pretty well these days. The occasional bit of image spam gets through – one or two a day, maybe – and I can’t remember the last time I found a false positive.

Graham Cluley over at Sophos thinks he can detect signs of desperation among the spammers. The sudden flood of spam using PDF attachments to fool the filters peaked in August and has abated quickly. Cluley sees this as the spammers struggling to find their way past ever stronger defences.

Now we hear that Excel files are being used to carried spam, in the hope that people will not suspect a spreadsheet. Most filters should be able to close that down quickly, and users will leanr not to fall for the trick more than once.

So there really is a prospect of spam – in the sense scattergun mass-mailings – becoming so unsuccessful that the perpetrators might think about giving up on it.

But Mark Sunner of MessageLabs sees new types of unwanted mail that work on different principles. First we see the short-burst mailing that lasts just a few minutes and disappears before it hits the honeypots used by the anti-spam community to track new traffic. It may not hit as many addresses as the traditional blockbuster mailing, but it has more chance of getting through.

The trend he notes is for hackers to trawl detail from social networking sites and to send very personalised messages to the recipients. In one incident he reports seeing a spate of messages all sent to company board directors (or their secretaries in a couple of cases) which asked them to click on a link.

The links were cleverly labelled either ‘invoice’, ‘customer complaint’, or ‘directive from the Financial Services Authority’. As soon as the recipient clicked on the link, of course, a trojan was downloaded on to the machine, ready to transmit back whatever private information a hacker might want.

And where did the information for the addresses come from? It turned out that all the recipients had given out their contact details on LinkedIn, and these had subsequently been harvested easily by the spammers. The scam would work as easily with other business-based networks like Plaxo, or social sites like Facebook and Myspace.

Which leads me to conclude that mass-mailing spam might be on the way out, but we still need to be very careful about how we handle email.