[Resolved] Change in ISP's position on particular spammer?

[fubar]

This may be a normal occurrence, but I am still somewhat a noob. So, I'm hoping those more experienced will explain what I observed today.

This morning I went to report a spam through SpamCop. Here is the tracking URL.

But what you see now on the tracking URL is not what I saw on the report immediately after processing and before sending the emails. On the basis of what I saw, I did not send the emails. Maybe I should have.

Here is what I saw this morning. I munged some IP details here maybe for no good reason, just to be careful. They are the same at the tracking URL:

Tracking message source: 24.43.xxx.xx:

Display data:

"whois 24.43.xxx.xx[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]rr.com

24.43.0.0 - 24.43.255.255:abuse[at]rr.com

Routing details for 24.43.xxx.xx

Using abuse net on abuse[at]rr.com

abuse net rr.com = abuse[at]rr.com

Using best contacts abuse[at]rr.com

ISP has indicated spam will cease; ISP resolved this issue sometime after Tuesday, September 08, 2009 9:25:36 AM -0700

Message is 1 hours old

The tracking URL now shows no indication of resolution, and the message is now 11 hours old:

Should I now report it? Or what?

Thanks in advance for any advice or explanation of how this ISP resolution thing works.

[Farelf]

Should I now report it? Or what?

Yes, if SC offers to report it now, it is safe to do so. The only thing you mustn't do is report the same spam twice. And you should ensure any tracking URL you post points to either a reported or canceled submission (if you cancel you can always reparse later and send a report then).

The sending of reports to the ISP is a dynamic thing, parse at different times and you sometimes get different results for different reasons. Few would have seen the "ISP has indicated spam will cease; ISP resolved this issue sometime after..." effectively rescinded for the same spam but the deputies keep an eye on the ISP claims of resolution and presumably revert to sending reports if there's a problem with resolution.

The important part of 'reporting' is to register a hit against the spam source IP address for the SC blocklist. Reports to the ISP are actually secondary and a courtesy only (and SC won't send them if the ISP doesn't want them - that would be SC spamming the ISP otherwise ). You shouldn't hesitate to 'report' (and as soon as you can) when there are no reports going to the ISP. The weight of your report still counts towards the block list and could even be the 'deciding vote' in getting that address listed. That weight is greater for fresh spam - see http://www.spamcop.net/fom-serve/cache/297.html (the "SCBL Rules" part describes the approximate weighting schema).

[Marking resolved - O/P has viewed and has released pending report (or someone did). Feel free to continue the topic if required - we can remove the "Resolved" tag if you want to continue/add.]

[fubar]

Thanks Farelf.

Immediately after reading your reply I reported the spam to the automagically displayed spamcop address.

I also note your admonition about leaving reports open, neither sent nor cancelled. I now see that was another misunderstanding I had about how the reporting worked. In the future I'll use the cancel button before running off in all directions asking questions about whether to report it. Then, if appropriate to report the spam (as it was this time), I'll just start a new report.

You've made the procedure so easy my dog could understand it, if I had a dog.

[Farelf]

You've made the procedure so easy my dog could understand it, if I had a dog.

Thanks for the feedback fubar - and you're most welcome. Yeah, dogs die - but they're nicer 'people' than cats, some think: http://www.dailymotion.com/video/xad10g_wally-hates-cats_fun

[Wazoo]

But what you see now on the tracking URL is not what I saw on the report immediately after processing and before sending the emails. On the basis of what I saw, I did not send the emails.

As seen at ISP Abuse Report Center .. there are various options/replies that can be made to a received Report. For an IP Address type Report, most of the options include a 24-hour stoppage on further Reporting about the same IP Address. From the times showing, your first attempted parse was within that 24-hour window. Your next look was after that 24-hour lock had expired.

[fubar]

Wazoo wrote:

... your first attempted parse was within that 24-hour window. Your next look was after that 24-hour lock had expired.

Thanks for the info Wazoo. I halfway figured I had parsed in the middle of some sort of "resolution" cycle, but I had no idea how it worked.