I just found this article on reputation from the spam fighter's point of view:
Spam has undergone a radical evolution during the past few years, and reputation systems are now a key technology in dealing with the ever-increasing volume of unwanted messages. Reputation systems have been in use for the past three years, but are only now becoming "table stakes" for any vendor offering email security solutions. That is, it's hard for any vendor to substantiate a high spam detection rate without relying on reputation.
The general concept behind a reputation system is that you can, with some precision, figure out the likelihood of a message being spam, based on who is sending it. IP addresses cannot be spoofed; they identify the sender and receiver of an email message and are essential to ensuring a message gets to its destination. You can fake pretty much everything else about a message, but not the originating IP address.
So how does a reputation system actually help your organization?
Its data serves as another ingredient in the spam-detection cocktail that your company uses to help determine which messages are unwanted. Adding a measure of sender intent will definitely help make the cocktail more effective. Spam-detection cocktails use hundreds of attributes, scored and optimized to determine whether a message is spam. No one attribute is fool-proof, so in general the more data you have, the more optimized your cocktail will be. It's not that reputation data will help catch spam that no other technique would catch, but another "juror" weighing in with a guilty verdict increases the confidence level of the spam decision.
So what's the catch? First, as with every other spam detection technique, reputation systems are an inexact science. And every email that gets flagged at the perimeter is essentially getting the death penalty. Most vendors' systems place borderline messages in quarantine so false positives can be retrieved. But that's why most organizations set their connection management settings conservatively, so messages from only the most egregiously bad senders will be discarded.
Now spammers are not stupid, so when they realized that these
reputation systems were affecting deliverability, they started looking
for other ways to obscure sender identities. Since IP addresses can't
be spoofed, they did the next best thing: they recruited an army of
anonymous zombies to do their dirty work for them.
Zombies are actually the fatal flaw within reputation systems. Some reputation systems assume that unknown senders (which are most likely zombies) are good, and others figure they are bad. Neither method is ideal; assuming unknown senders are bad can result in more false positives, and assuming they are good inhibits the effectiveness of the connection management function. The author of this article favors systems that take a "guilty until proven innocent" approach; it's pretty clear that a great majority of the email senders out there have bad intentions. But that approach may not work for everyone.
Fortunately for end users, reputation is only one piece of the spam-detection puzzle. In today's enterprise messaging environment, there is too much spam traffic to scrutinize every message. Reputation systems used to discard spam before a message passes through the perimeter, alleviating pressure from the gateway. While they aren't the answer to all of an organization's spam woes, when used in conjunction with other technologies, reputation systems can be a valuable addition to a corporate anti-spam strategy.