Rob,
Spamassassin is more difficult to configure because commercial products
don't have the luxury of requiring more sysadmin configuration. They
have to be easy or no one would buy them. The disadvantage of them
being easier is that they have less flexibility, less information and
less site-specific configuration to work with. They also tend to be
less accurate, erring to the side of enforcement at the risk of
discarding legitimate mail.
It is important to check spamassassin to see which plugins are installed
properly and working. Spamassassin will work with only a few plugins
installed, but it will work much better if you install all plugins that
make sense for your site.
To maintain spamassassin well, you also have to have very level-headed
admins who are willing to drop even very effective plugins if they have
the potential for false positives. You have to evaluate the plugins
yourself, to some extent, and you have to trust behavior that you
observe. I recently had to decrease the score of the BOTNET plugin
significantly. It's not the BOTNET plugin is doing something wrong --
it's simply that companies often configure their mail servers with mail
gateways and have internal/private network Received lines that trigger
the BOTNET plugin.
Commercial products tend to trap lots of spam, like a properly
configured spamassassin installation, but they also tend to get a lot of
false positives. Consider that people complain a lot more about false
negatives (spam that gets through) than false positives, especially if
they don't see the false positives. Because of this behavior pattern,
commercial products will almost always err to the side of throwing away
the baby with the bathwater. And this is more dangerous to email than
spam is.
Best,
Jesse