So far, there have been two significant battlefields in the war on spam. The first is the content of the e-mail message itself, followed by the IP address of the system that sent it.
With messages, e-mail appliances analyze message content for spam characteristics, such as misspelled words, weird patterns, and popular spam terms, such as "Viagra." Each message is then rated on a scorecard that determines whether or not the message will make it to the inbox. While this heuristic approach for ferreting out spam is still used today, anti-spam vendors have taken the battle a step further.
Only a few years ago, vendors added sender-reputation services to their arsenal -- that is, analyzing the message's origins, building databases of good and bad IP addresses, blocking all messages from IP addresses of known spammers, and limiting the number of connections or messages per minute from suspicious senders.
In the case of an unknown mail server, some e-mail appliances force the server to make a second connection request. This technique relies on the notion that mail servers at legitimate businesses are configured to resend and that spammers won't bother making a second request and just move on to another target.
Another mechanism for handling unknown or suspicious senders, called connection throttling, emerged two years ago. Here's how it works: An e-mail appliance with connection-throttling will allow a single message from an unknown mail server to go through. [Is there another step in between here? Does the admin or the end-user have to do something to prove the message is not spam?] Depending on whether the message turns out to be spam, the appliance may let more messages from the server to pass or shut off the pipeline.
More and more rules have led to the dreaded false positive or real e-mail incorrectly blocked as spam. "If users aren't getting things that they expect to get, that's a disaster," Dineley says. Most of the appliances reviewed by the Test Center did a good job of avoiding false positives. In fact, Cisco IronPort, Symantec Mail Security, and Tumbleweed MailGate registered few, if any, false positives, making them superior products.
Others simply blocked anything that looked like spam, resulting in a lot of false positives. This put the onus on admins and end-users to fix the problem via whitelisting. "Some of the vendors justified this approach to me, saying that the bulk messages they blocked are ones that don't comply with the CAN-SPAM Act," says Harbaugh. "However, the facts of life are that many users want these messages, whether they comply or not, and the whitelist is a pain [to build] for the first couple of weeks."