Her top-line advice: "To keep a step ahead of spammers, organizations should adopt a hybrid of filtering solutions, strengthen this connection to management technologies, and treat anti-spam as part of a wider e-mail content security strategy that includes content protection and compliance."

In a recent report titled Spam Management Best Practices, Chang noted that spammers continue to evolve in sophistication and are part of a greater community of cyber criminals.

"Our analysis into malware, spam, phishing and emerging threats reveals an extremely dynamic threat landscape, fueled by an organized underground economy. Trust on the Internet is increasingly elusive as more and more trusted sites become unwitting participants in proliferating attacks," she said in the report.

That said, "Although it's impossible to eradicate spam completely from the Internet today, organizations can alleviate the problem by adopting recommended practices, from both policy and technological perspectives," Chang said.

Those policy practices include "taking a rough axe to the blatant spam messages." That means blocking messages in the definite spam category, such as pornography, phishing and financial solicitations.

Newsletters, political campaigns and product marketing messages also might fit into that category, but not always.

"One man's spam is another man's useful newsletter," Chang pointed out, recommending the adoption of user-specific filtering policies, such as allowing marketing messages to go to the sales groups and executable files to engineering personnel.

Technology management techniques, meanwhile, include blacklists, whitelists, sender reputation, rate controls and recipient verification–techniques that filters the bulk of the e-mail coming in and allows for more in-depth content analysis downstream, Chang said.

The Forrester analyst also recommended leveraging self-management tools that allow users to then make filtering choices, and to manage bounce specifications. Spammers use bounce messages to collect valid e-mail addresses, Chang said. She suggested limiting the number of external bounce notifications for unreachable addresses.

"An example is to only send bounce notifications to certain trusted domains or rate-limit the number of notifications to a single source," she said. "You should look to antispam technologies that support the implementation of such policies."

Vendors mentioned in Chang's report include IronPort Systems, Spamhaus, 510 Software Group, Secure Computing and Tumbleweed.

Like many areas of endeavors not defined by a calculator and the bottom line, success in spam control is typically measured in the breach.

A good antispam solution should only require a few minutes per day to manage, Chang said, should not allow more than one false negative block per user per day, and should allow only a false positive every 200,000 messages.

And, she said, "It should be obvious from your user feedback whether you're doing a good job."

"In fact, sometimes the best indication of a successful anti-spam deployment is that you hear less or nothing from your users. The decrease of complaints in this subject area is silent kudos."

–[email protected]