Sophos Anti-Virus may be the best kept secret in the anti-virus industry. Sophos produces a very high quality scanning engine and provides very good support. Sophos caters to the enterprise, so their products are built for a diversity of platforms. Their products are not sold retail, which is part of the reason they are able to maintain the high quality of their support. (NB: I am a Sophos reseller, so my opinions are biased.)

Most of Sophos' products ship with 'sweep', a command-line scanner, but the the command-line client is mostly a wrapper around SAVI, their scanning engine library. SAVI can also be licensed on its own in blocks of 50 users. This is a good solution for customers who only want e-mail filtering or already have another anti-virus product. Sophos provides the C headers to SAVI to developers, and Vanja Hrustic used them to implement Sophie. Sophie is a daemonized scanner with which external processes communicate through a UNIX domain socket. Because loading the virus definitions and initializing the scanning engine requires considerable overhead in program initialization, it is better to have a daemonizeds canner, especially when using 'sweep' would require many invocations.

SpamAssassin itself probably needs no introduction. It is widely regarded as the best open source spam-filtering engine available (and is probably better than most proprietary offerings). It includes a wide range of heuristic patterns and scores which are applied to messages, connections to external sources, such as DNSRBLs, Razor2 and DCC. Later versions also implement Bayesian classification, which greatly improves detection quality.

SpamAssassin operates by applying a number of heuristic tests to messages, and then scoring the message. More factors are taken into consideration by using a battery of tests to produce more accurate results than an all-or-nothing keyword filter can provide. Consider, for example, if anything containing the word "viagra" were rejected as spam, much Viagra(tm)-related spam would be discarded, but you would also miss the joke forwarded by your buddy or the polite request from your wife. Configurable thresholds allow an administrator or user to decide how aggressive to be when deciding whether or not a message is spam.

The more tests SpamAssassin uses, the higher the scores will be for spam, so the higher the thresholds can be set and the more accurate filtering will be. Razor2, DCC, and Pyzor are external tests which are highly recommended. All three work by computing checksums of messages which have been recognized as spam and comparing those to databases on the Internet. DCC uses a fuzzy checksum to detect spam, especially messages where spammers have added random characters to parts of the message in an attempt to fool the other systems. If possible, register and send checksums of spam not caught by these system back to network; they operate as community efforts, so your contributions help.

SpamAssassin will also use DNS real-time black-hole lists (DNSRBLs) and right-hand-side black-hole list (RHSBLs). It assigns different scores based on the reputation or focus of the RBL, and as a result is safer than using the lists directly through your MTA; for example, instead of simply blocking all messages originating at from a dial-up address, the RBL simply adds to the score, so if the message is otherwise not spam-like, it will be allowed through. (I have seen desperate small ISPs block mail entirely from addresses owned by particular national IPSs, which is a very bad practice, since it alienates sizable portions of the Internet.) SpamAssassin is also able to apply the RBL tests to all hosts through which the message has passed, which is more effective than only applying it to the SMTP peer, as an MTA usually does.

Among the newest and most exciting features is the Bayesian classification and auto-learning, which allow it to learn what is spam and non-spam based on scores of messages it sees. Bayesian classification is a sophisticated technique to statistically determine the likelihood of a message being spam, based on identifying tokens (words, etc.) as either being most frequently used in spam or "ham" (non-spam). It's a good deal more flexible than the static regular expression matching that SpamAssassin does without it; as a result it has to learn which tokens are spam tokens and which are ham tokens, so it must be trained, usually be feeding it messages and indicated which it is. Since SpamAssassin still has a number of other tests it performs, it can also automatically teach the Bayesian classifier based on the message's score, so it continuously adapts its idea of what is spam or ham based on the messages it receives.