[Scspamcop] Re: comments to abuse addresses

[Mike Easter]

RandallW wrote:
> When I use the parser there are boxes at the bottom of the screen
> allowing comments to each potential abuse address.  Lately i've been
> plugging the spam-originating IP into the Spamhaus lookup box and the
> Cbl.abuseat site; if there's an entry at one or both of the sites I
> make mention of it/them in the Spamcop parser comments boxes.  Do the
> ISPs actually read these comments?  Am I wasting my time?

Short answer: maybe/probably.  Long answer...

When I was doing my own 'manual' notifies, my style or concept of
notifying was to create an extremely brief 'template' by which I notified
providers of the 'basis' for their being notified - what role they played
in the spam such as source, spamvertiser, relay, sometimes upstream
provider or even nameservice.

That template allowed the 'comment' that a source was listed in such as
spamcop's SCbl or CBL and/or that a provider was SPEWS or spamhaus listed.
That notify also showed each notified who else was being notified, such as
upstream or whatever.

However, at the same time my 'theory' was that only a very very very tiny
percentage or 'subset' of all of the notifies 'in the world' which have
been and will be submitted to abuse desks are actually opened or much less
read by the recipient.  The only thing that might make the content useful
would be if it happened to be yours/mine.

My take or assumption on it is that provider abuse desks fall 'generally'
into blackhats and greyhats and whitehats and duncecaps.  The blackhats
aren't opening or reading their notifies unless it benefits them somehow.
The whitehats aren't opening or reading 99.9% of their notifies because
once they get a single notify about an issue which they are going to fix,
they don't need to read any more.  The greyhats aren't reading 99.9% of
their notifies because they aren't motivated to fix the problem which they
already read about once, so they don't need to keep reading about it.  The
duncecaps don't know how the problem works or how to fix it, so they also
don't need to read about it.

As a result of all of that, the idea that some people have about how many
times or how 'stridently' they make their notify or how strongly they try
to make their point that some problem needs to be fixed, the abuse desks
mostly aren't opening their mail or listening to them at all, for the
various reasons above.  Some desks are devnulling the notifies because
their hat is black or grey or dunce.  Some desks are 'sorting' their
notifies into 'piles' so each unopened item can be auto-acked because
their hat is white, but they aren't actually reading but one of them.

You waste a lot less time adding correct listings information to a SC
notify about cbl or spamhaus than I used to 'waste' with manual notifies.
The advantage of spending the time checking spamhaus and cbl is that you
have a better understanding of what and who you are notifying about
something.

--
Mike Easter
kibitzer, not SC admin