Toby Penn, CISSP, senior solutions engineer for Accuvant (, says:

Accuracy counts. For example, if you receive 1,000,000 messages per week and your solution is 5% less effective than one that costs just a little bit more, you will be allowing in 50,000 extra “bad” messages per week. This adds up quickly and can introduce malware, spyware and clog your disk storage.

Quarantine management should not be overlooked. Being able to intuitively and rapidly search for an email, determine why it was caught, and either release or explain to the user is essential. And, don’t think of this as your anti-spam solution having a lot of false positives; more than likely it is a rule you have customized that will cause this. Being able to know if your rule is working well is also key.

When choosing a solution that uses (and in some cases depends) on reputation services, make sure that you still get log entries for the connection. If a system blocks a message at the connection level (during the three-way handshake) but does not log the message, you have no mechanism of proving a message did or did not make it to your organization.

When comparing solutions, be aware that different solutions count messages differently. One solution may use the message ID (unique number that is tagged to every message), while other solutions may use recipients to calculate their statistics. This can cause widely different numbers to show up. For instance, if a single incoming message is destined for 20 recipients one solution may count this a one message and another solution may count this as 20 messages.