(Business 2.0) – In a darkened room on the 18th floor of a downtown San Francisco high-rise, Wilson Cheng scans his e-mail. "Cheapest Viagra Guaranteed." "Affordable Mortgages NOW!!!" "Toilet Cams JUQYZJIV." He gets thousands of these every day, and he sees them all--so that you never have to.

There's a high-tech war going on between e-mail administrators and e-mail abusers, and spam fighters like Cheng are on the front lines. Cheng works for Brightmail, one of a dozen services that have sprung up in the past two years to help corporate e-mail servers keep ahead of ever more sophisticated spam technologies. Junk e-mail now engulfs an appalling 38 percent of the average inbox, up from a merely annoying 8 percent a year ago. While most of the 140 billion pieces a year flood popular e-mail domains like Hotmail and EarthLink, it's fast becoming a business problem too. Cheng says his work has grown so intense that he's had nightmares in which he gives Nigerian e-mail scamsters his credit card number. "I wake up sweating," he says.

As well he might. Spammers used to leave corporate e-mail systems alone. That changed as the falling cost of bandwidth and bulk-mail software put the so-called dictionary or directory harvest attack within reach of even small-time junk-mailers. In this technique, a computer hurls tens of thousands of common names at a corporate e-mail system--woe is John Taylor or Mike Gonzalez--to see what sticks. When the attack yields a live address, the spammer adds it to his own database and sells it to other junk peddlers. In a matter of days, the address can be the target of hundreds of junk e-mails. Antispam service Postini says dictionary attacks have increased 90 percent in the past two months alone.

Once the junk-mailers have employees' names, traditional defenses are often inadequate to keep the spam out. For years the Mail Abuse Prevention System Realtime Blackhole List and other blacklists maintained by volunteer groups like Spamhaus have tried to identify the worst offenders and lock out mail originating from their addresses. Spammers retaliated by jumping to different blocks of addresses and quickly cycling through those before jumping yet again. When IT managers installed filters that rejected mail using too many exclamation marks or words like "sex" or "breast," spammers eliminated those red flags from their e-mail. A big operation like Empire Towers, a spam shop in Toledo, Ohio, can now change subject lines and cycle through domain names so rapidly that by the time victims spot a pattern, the damage is done. "If your mom writes, 'I've got great news!!!' she gets blocked," gloats Empire Towers chief Tom Cowles (see "The Junk-Mail Economy," below). His mail, meanwhile, skates through.

That's where spam sentries like Cheng come in. One way to battle Cowles and his ilk is to update spam filters as fast as the spammers can change disguises. Brightmail attempts to do this by setting up more than 1 million "probe" accounts, dummy mailboxes that aren't used for anything but trapping unsolicited e-mail. If anything lands in them, it doesn't belong there. In seconds, Cheng and his colleagues can identify each message's "fingerprint"--a unique string of numbers drawn from its text--and instruct automatic monitors at clients' e-mail servers to quarantine the offending message or any other using that text. Brightmail may send out five or six such alerts every hour.

Another way to fight spam is to keep the bad guys from getting employees' addresses in the first place. So-called "boundary surveillance" services, like MailShell, MessageLabs, and Postini, are probably the most effective way to repel the dictionary attack; they redirect a client's incoming e-mail to one of their own servers, ensuring that the corporate e-mail system never reveals any internal addresses. As they process a client's incoming mail, these services use continually updated artificial intelligence to separate the legitimate mail from the spam, often dumping the latter into a special junk folder where it can be reviewed and efficiently deleted. Michael Jacobs, a partner at San Francisco law firm Morrison & Foerster, says that he, like many of his colleagues, was deluged by at least 60 junk solicitations a day before the firm installed Postini to guard its e-mail gateway. Now they're down to 9 or 10 such messages a day.

That's obviously a huge improvement, but it's not perfect. And that underscores an unpleasant fact about the current status of the war on spam. The good guys are far from declaring victory. Modern electronic junk-mail, with its ability to constantly alter its identity, remains a fraction of a step ahead of the most sophisticated efforts to block it.

All of which lends a kind of vigilante appeal to a new product being readied for delivery to businesses later this fall by San Francisco startup Cloudmark. Called SpamNet, a version is already available as a plug-in to Microsoft's ubiquitous Outlook e-mail client and harnesses the viral power of peer-to-peer networking to identify undesirable e-mail as quickly as it appears. Once any user marks a message as spam, it can be blocked from every other computer on the network. The software's effectiveness will depend, of course, on how many users are on the network. Still, the premise of enlisting every corporate e-mail user in an antispam posse is an intriguing one. It might be just the thing to make spammers, for a change, the ones who wake up sweating. --Brian Caulfield