One of the important things about fighting spam, one that may not be immediately obvious, is that there is no free lunch. Fighting spam can cost in the risk of false positives, or it can cost in people's time (sometimes you can spend money instead), but it always costs; you just decide where you will pay the price.

(There are many ways that it can cost in people's time; for example, putting together and managing a spam filtering system. As illustrated here, you may get to choose which people's time gets to pay the price.)

The corollary of this is that choices and features in fighting spam all have their own cost. For example, to pick one of my hot buttons, leaving your postmaster address unscreened and unblocked so that people can write to you about false positive accidents is not free; you pay in the time that your staff will spend dealing with email to postmaster (and possibly in the resulting staff burnout from dealing with a pile of spam). This cost may still be worth paying, but it is a cost and you should be aware of it.

I think that one of the reasons that this is not immediately obvious is that many of the costs are indirect costs, and indirect costs are often overlooked. It's easy to see the cost of a commercial anti-spam solution and pretty easy to see the costs of false positives (although those costs vary a lot by environment), but things like the costs of making people deal with spam themselves are far harder to quantify and measure.