And still the spam comes...

In the case of an unknown mail server, some email appliances force the server to make a second connection request. This technique relies on the notion that mail servers at legitimate businesses are configured to resend and that spammers won't bother making a second request and just move on to another target.

Another mechanism for handling unknown or suspicious senders, called connection throttling, emerged two years ago. Here's how it works: An email appliance with connection-throttling will allow a single message from an unknown mail server to go through. [Is there another step in between here? Does the admin or the end user have to do something to prove the message is not spam?] Depending on whether the message turns out to be spam, the appliance may let more messages from the server to pass or shut off the pipeline.

More and more rules have led to the dreaded false positive or real email incorrectly blocked as spam. "If users aren't getting things that they expect to get, that's a disaster," Dineley says.

Most of the appliances reviewed by the Test Center did a good job of avoiding false positives. In fact, Cisco IronPort, Symantec Mail Security, and Tumbleweed MailGate registered few, if any, false positives, making them superior products.

Others simply blocked anything that looked like spam, resulting in a lot of false positives. This put the onus on admins and end-users to fix the problem via whitelisting. "Some of the vendors justified this approach to me, saying that the bulk messages they blocked are ones that don't comply with the CAN-SPAM Act," says Harbaugh. "However, the facts of life are that many users want these messages, whether they comply or not, and the whitelist is a pain [to build] for the first couple of weeks."

Holding back the spam tide may require shaking up the world of email. Harbaugh calls for striking at the heart of how spammers ply their trade; currently, spam is blasted to the masses in three ways: via registered email servers, mail servers that allow anonymous forwards, and botnets of subverted computers.

With registered email servers, many ISPs block servers that send messages in violation of the CAN-SPAM Act. But the law only applies within the US, and spam is legal in many countries. It's also difficult for ISPs to pre-emptively block spam without opening themselves to liability charges. "The only practical way to stop this kind of spam is charging per message," says Harbaugh. "If ISPs are being charged per message, it gives them a real economic incentive to patrol their networks and stop spammers quickly."

Charging for messages is a sensitive issue. It's likely that junk-mail advertisers will happily pay fees and push out even more spam. And then there's the thorny idea of taxing the Internet. "The Internet is free to everyone," Forrester's Wang says. "Besides, spam is not getting worse ... the majority of the threat now lies in the web channel - not email channel - such as fake websites and hacked real websites."

Undaunted, Harbaugh also wants to take a hard-line approach to mail servers that allow anonymous forwards. His suggestion: make all mail servers comply with security measures that block anonymous forwarding. By some estimates, a server that doesn't block anonymous forwarding will be exploited by spammers within minutes. Revised SMTP protocols would make it easier to trace people who are illegally sending spam. And message charges would provide a financial incentive for people with mail servers to follow the new rules.