I love the service model. Some guys (Im one of them) like running their own systems and tuning them and being "self-sufficient," but for almost any real company out there running your own perimeter, security is not core to your business. Why not hire someone else to do it? Even IBMs in the business now.
E-mail security is a great candidate for outsourcing for a number of reasons. E-mail is critical, but people expect a delay of some kind in delivery. Routing it through someone elses network is not unreasonable, if the delay is kept fairly short.
There are a few big companies providing services for e-mail security. Theres SpamShark from FrontBridge Technologies (Ziff Davis Media uses this service for ziffdavis.com mail); MessageLabs, which recently announced a reseller agreement with IBM; and Postini, which claims to be the fourth largest processor of e-mail in the United States. There is also eDoxs, which offers the Brighmail AntiSpam suite in an ASP model (Brightmail is now owned by Symantec).
So there are lots of choices in the e-mail security service space, and if you dont like what youre getting youre in a much better position to take your business elsewhere than if you had set up security products running in your own data center.
The list of advantages to the service model is long and appealing. The service provider sees a lot more mail than your IT people do, so they are more likely to see and deal with new threats than you can. They scan everything with multiple scanners. They have people on staff who specialize in identifying new threats. Some of them will queue up your mail if your servers go down. They protect your networks against dictionary and other harvesting attacks, and the spam they block never gets to your network to clog up your bandwidth.