Half or more of the computing appliance vendors I’ve looked into follow very similar hardware strategies: They use mainly standard parts; they include uncommon but off-the-shelf networking (and sometimes encryption) accelerators; and they of course optimize the mix of those parts and general hardware architecture as well. (EDIT: I actually gave names to three strategies — even if they were just “Type 0″, “Type 1″, and “Type 2″ — in this overview of data warehouse appliance vendors. And in another post I considered arguments about whether one would want a data warehouse appliance at all.) Examples I’ve posted about recently include – and I quote the forthcoming column – “DATallegro and Teradata (data warehousing), Cast Iron Systems (data integration), Barracuda Networks (security/antispam), Blue Coat Systems (networking), and Juniper (security and networking).” (ANOTHER EDIT: But I think DATAllegro’s strategy has changed.)

By way of contrast, there’s also a group whose stance is more along “hardware/schmardware” lines. Sendio and Proofpoint (in most cases) don’t really do anything special at all in their boxes; what’s more, Proofpoint actually has significant software-only deployments over VMware’s virtualization layer. Kognitio and Greenplum think their software-only data warehouse offerings are appliance-equivalents too; indeed, Greenplum’s software is sold mainly bundled with Sun hardware (to the extent it’s sold at all), and Kognitio is hinting at an appliance-like offering for competitive reasons as well. Check Point Software plays both sides of the field; it offers its own kind of “virtual appliance,” but also gets many of its sales through appliance vendors. Its most interesting such partner, if not its biggest, is Crossbeam Systems, which in my opinion may very well represent the future of appliance technology.

So let’s go straight to their anti-spam technology, which is challenge/response. The basic idea is that e-mail senders, when they first message you, need to reply to a challenge e-mail for your mail to get through. After that, they’re whitelisted. What’s more, senders can be whitelisted by hand without ever going through a challenge/response cycle.

Sendio boasts almost 150 customer enterprises, concentrated in such security-sensitive markets such as financial services, healthcare, and legal services. (One advantage of being security-sensitive may be that your correspondents are open-minded to enduring the challenge/response hassle.) As per a glowing review in Government Computer News – which incidentally takes a swipe at Barracuda – spammers so far do not bother doing anything to defeat the system.

Thus, the only current conceptual problem the company admits to is that of “good” bulk e-mail – which can only be received if you manually whitelist it. They claim reasonably that the number of bulk e-mailers that need to be allowed at any particular enterprise isn’t really all that high, although that seems to be more likely true at enterprises that, for example, have very disciplined centralized purchasing practices (so that the number of vendors sending automated e-commerce-related e-mails is small).

But while things look great now, I have severe doubts as to whether challenge/response authentication is the future of anti-spam technology, for two long-discussed reasons. Let’s just suppose challenge/response technology became widespread. Then:

1. Spammers would have a strong incentive to defeat it. And it wouldn’t be hard on any level for them to train their zombie PCs to answer challenges.
2. If a legitimate e-mail address were forged as the sender of many spam messages, it would create a huge flood of challenges directed at the address. And that would make a lot of users angry, possibly causing a backlash which would lead to the effective outlawing of challenge/response.

Sendio’s 150 customers may well get some more happy cohorts. But I suspect challenge/response is inherently doomed to remain a niche technology.