As we've said in previous articles, spam is a high-profile, rapidly growing threat to the well-being of our users and our networks. Average estimates show it to make up about 75 per cent of all email traffic so it's something we could well do without.

Both our network infrastructure and our users waste time and effort processing it and many people find it offensive, rather than just annoying. In fact if you're not actively trying to block it, you could run the risk of being sued by your fellow employees for allowing them to be exposed to offensive material while at work. So what are your options at getting rid of it?

Desktop packages that integrate spam filtering with your email system are common, and are often installed by home users along with anti-virus software. This option is okay for individuals and very small organisations, but it doesn't scale in terms of a cohesive manageable solution. And all that unwanted email traffic has already used up valuable bandwidth getting to the end station, which isn't what you want.

For larger companies, you need to centralise control, and stop the spam ever reaching your users' stations. You can do this using server-side anti-spam software – there are lots to choose from, irrespective of your server platform, both open-source and commercial. You could also look at proxy software, which saves you from the concern of installing the software on your email server, and giving it even more work to do.

To completely off-load the task from your email system, though, there's a new breed of hardware, the anti-spam appliance. Often including anti-virus software, the anti-spam device typically works out-of-the-box, so it's designed for low maintenance. Just plug it in where it can intercept all the traffic destined for your email server and it'll filter out the nasties. If this sounds attractive, there are a few things you need to check out before you decide if there's one that suits your environment, though. And many of the questions you need to ask your hardware vendor are the same as those that arise if you look at the alternative to DIY spam-filtering: the managed service.

Outsourcing
The logical extension to the concept of stopping spam before it wends its way through your infrastructure is to never have it reach your network at all. A managed service provider offering looks at all your email before it gets to you and decides what's legitimate traffic, and what isn't. But it's the fact that an outside company is controlling your email that makes some companies wary.

Here are a few key questions to ask a potential provider to help determine whether any particular outsourced option is a good one:

- How much control do you have over the rules that determine spam? Keywords that instantly define messages as spam for most email users may be perfectly valid if, for instance, you work in a doctor's clinic or pharmaceutical company (we'll leave the examples to your imagination, as we'd rather this web page got through your own filtering systems).

- What happens to messages identified as spam – are they stored somewhere for later checking? Is this by the intended recipient, or by a member of your own IT department? Either can cause problems, in terms of practicality and data privacy issues. Depending on your business, there may be email addressees who can't afford to have anything filtered, no matter how suspect the content.

- What delays are incurred to messages by going through this filtering process? Hopefully inconsequential, but best to be sure.

- What is the expected rate of 'false positives' – i.e. that number of valid messages that are wrongly identified as spam? A value of 0.001 per cent (that is one in 100,000) sounds impressive and is an often-quoted figure, but what is that in terms of actual lost emails, when you count how many emails your company gets each year. Can you afford to lose these?

- What happens if there's an outage? Failures do happen, so best to know up front the worst you can expect. What levels of resilience are there, and how long can messages be safely stored if necessary?

- What reporting mechanisms are provided to let you see just what's going on behind the scenes?

The interesting thing is that all of the above points apply equally to an in-house appliance. If it wrongly trashes valuable emails, can't handle the amount of traffic being thrown at it, and won't tell you what's going on, it doesn't really matter whether the filtering system is on your premises, being looked after by the IT department, or is in a PoP somewhere, managed by someone else.

There are extra issues when it's a managed service you're talking about, such as Service Level Agreements, and whether you think the service provider is about to be bought by someone else (although this too could apply to a hardware manufacturer). When it comes down to it, there's perhaps not that much difference between a little black box on your site or on someone else's.

Rather than being an issue of control,the issue of outsourcing versus in-house control really comes down to how well the service works, and that focuses round the answers to the points raised above.