Mark C. Langston>
I'd imagine a "reputation list" to be something more informative than a
normal whitelist. Whitelists are binary: you're either on it, or you're
not. A "reputation list" (or, more generally, reputation service) would
provide a metric of some sort that measures the entity's behavior
against some known standards of behavior.
One could then adjust the received metric according to how much one
trusts/values that reputation-reporting system, and/or how much credence
one puts in the standards against which entities are evaluated.
In short, a reputation system would locate each entity at a point along
a continuum, and people could choose which reputation system(s) they
want to use to evaluate incoming mail.
Yes, this has been said before. However, practically,
is_spammer(reputation_service, cut_off_metric, sender)
is exactly equivalent to
is_spammer(whitelist, sender) for any cut_off_metric.
The only difference is that the binary split is made by the user, rather
than the provider of the reputation system (I wouldn't be surprised if this
turned out to be an important 'legal' difference). This may limit the
exposure of the provider, but the point was that MARID doesn't stop spam -
some kind of reputation system (local or 3rd party) may be used to block
messages from particular sources. MARID enables us to tie domains to IPs
(mail hosts or name servers), so we're necessarily tending to a per IP
reputation service, "graduated whitelist", call it what you will. Which we
don't *need* MARID to enable, although it might make things more
transparent. It seems to me that we're tending to a situation where we have
this lovely lightweight MARID thing which, in many cases, is going to
require an indirection to some reputation service. Which begs the question:
For anti-spam purposes, why not just cut the cr*p and take the peer IP
straight to the reputation service?