Kevin Stine, the Food and Drug Administration's chief information security officer, knew he had to do something to tackle the agency's spam problem last year. Out of 150,000 daily inbound e-mails, 40,000 were spam.

The FDA's information technology employees spent 5 percent to 10 percent of their time weeding out unsolicited commercial e-mail messages, which consumed valuable, limited resources, he said.

The FDA's biggest problem was the huge number of false positives triggered by the filters that examined e-mail messages for keywords, Stine said. The filters flagged messages that contained words such as "sex" and "Viagra," which occur in both legitimate e-mail messages and spam selling pornography and fraudulent access to pharmaceuticals.

The filters caught real spam but also corralled thousands of genuine messages, inconveniencing the FDA's 12,000 users.

The FDA didn't have an agencywide antispam system in place. Instead, it used more localized efforts based on keyword filtering, but Stine said those efforts were neither efficient nor accurate.

Realizing that they needed a more effective solution, agency officials turned to IronPort Systems, which offers a line of antispam appliances that block unwanted messages while letting in legitimate e-mail.

Most antispam products use keyword analysis of e-mail content to determine if a message is spam. This method leads to a cat-and-mouse game between spammers and information security professionals because the former can easily manipulate content to bypass filters, said Tom Gillis, IronPort's senior vice president of worldwide marketing. Then the filter-makers refine their tools, and the cycle begins anew.

IronPort uses a behavioral model of filtering, which grants or blocks access to its customers' networks based on e-mail senders' behavior instead of their messages' content.

This reputation-based filtering blocks spam and viruses while letting legitimate traffic pass through with greater accuracy and reliability, IronPort officials and customers say.

IronPort engineers got the idea for reputation-based filtering from a question: Aside from a message's content, how can you identify a spammer? They knew that message volume is the biggest tip-off because spam's business model requires volume for success, Gillis said.

That question led to a list of other criteria that IronPort uses to evaluate whether an e-mail message is spam.

For example, if an e-mail source sends millions of messages in a matter of seconds, doesn't accept messages in response and has a consumer IP address that normally doesn't send that volume of traffic, it's a spammer and IronPort will block messages from it.