If you choose to outsource, make sure your service provider will give you timely access to quarantined messages. When Rush Enterprises, a truck, construction and farm equipment dealer, tried outsourcing, Rush's e-mail administrator couldn't see what was being filtered and therefore couldn't tell if the company was missing good e-mails. "When you outsource, you generally lose control," says CIO Scott Kressner. If there was a problem, or if a user needed to be able to receive an important message, it took hours or even a day or two to resolve the situation. Kressner ended up purchasing the antispam appliance (a server loaded with the outsourcer's software that sits in front of the real mail server) and now uses it in conjunction with Symantec Gateway. Although the appliance was more than two or three times the annual cost of the service, Kressner says it's been well worth it to regain control.

A Spam Cocktail

A year or two ago, subscribing to a list of known spammers (known as a black-hole list or a blacklist), or relying on a signature approach (comparing the patterns in a new message against the fingerprints of known spam messages), or using reverse DNS lookup to check whether the sending domain was legitimate might have worked. But companies can't rely on just one type of blocking anymore.

"I'd strongly argue that you need a spam cocktail - a variety of approaches that work together to generate a probability as to whether a message is spam or not," says Meta's Cain. The most reliable products and services subject each e-mail to numerous tests that yield a probability score indicating how likely the message is spam. Companies can then set up rules that, for example, delete messages with a spam score of 95 percent or more, quarantine messages in the 85 percent to 95 percent range, and deliver (with a "suspected spam" warning) messages with scores between 75 percent and 85 percent.

The managed service provided by FrontBridge, for example, uses the cocktail approach. To make it into a user's inbox, an e-mail must clear three hurdles. First, its sender can't be on FrontBridge's proprietary blacklist. Then it must pass through a spam fingerprinting layer that identifies specific characteristics unique to spam. (For instance, spam often hides a stash of unspammy words in white HTML text on a white background to try to fool filters into thinking it's real e-mail; legitimate e-mail would not include white-on-white text.) Finally, it's got to survive a heuristics layer, which involves rule-based scoring. Spamlike behaviors, such as odd characters, spacing or HTML links, earn bad points, which are offset by good points awarded for characteristics that suggest legitimacy. FrontBridge updates 250 of its 10,000-plus rules daily.

Although attacking spam on multiple fronts may seem like overkill, Walter Smith can attest that it's necessary. As director of the global IT infrastructure services group at Advanced Micro Devices (AMD), he calculated that spam was costing the computer chip manufacturer more than $1.5 million a year in lost employee productivity. He first took a crack at handling the problem internally. "Our initial approach was to use fairly simple rules to identify spam and tag junk mail," he says. "We quickly found out that simple rules and spam don't go together." Before long, two full-time employees were consumed with tweaking the rules to account for all of the variations in spam, and even then, they couldn't keep up with the spammers. Only about 30 percent of spam was getting tagged, and some legitimate e-mail was wrongly identified as spam.