It recently struck me that one of the things that the university webmail phish attacks demonstrate is that reputation based antispam systems are now dead. The university webmail attacks aren't just a few previously good sources going bad, which has happened before; they're a systemic, broad attack on a whole class of systems that previously had a good to great 'spam reputation'.

(Well, this exaggerates the situation somewhat. There are two aspects of reputation based antispam systems; you can attempt to blacklist places that are spam sources, and you can attempt to whitelist places that are sources of good email. It is the whitelist approach that is primarily in trouble here.)

There's two aspects to this. First, it demonstrates very vividly that past good performance (emitting lots of good email and little or no spam) is no predictor of future performance, and that this happens for reasons beyond the site's control and thus beyond prediction and early warning signs. Second, I think that reputation based systems may even be counterproductive; clearly it is possible to compromise places with good reputations, and reputation based systems makes compromising such places fairly valuable.

(I do not think that this is the only reason for spammers to like compromising university webmail systems, but that's another entry.)