SpamCop is a free, community-based spam email reporting service provided by Cisco. SpamCop analyzes reported spam, and extracts details about the sending IP, the URLs contained in the spam, and the networks over which the spam message has transited. This information is used to create the SpamCop Block List (SCBL). The SCBL a list of IP addresses believed to be sending Unsolicited Bulk Email. As part of its service, each week SpamCop sends millions of email messages to notify network administrators about malicious activity that is observed occurring on their networks. SpamCop receives all types of replies in response to our notification emails. Many times recipients of SpamCop’s notifications will reply to SpamCop and claim, “we did not send the spam”. The SpamCop Deputies responsible for following up on these replies have heard every excuse under the sun. For them, “we did not send the spam” is the spam block list equivalent of “the dog ate my homework.” However, every once in a while, a network administrator who claims not to have transmitted a piece of spam from their network is telling the truth. There are times when SpamCop attributes a spam email to the correct sending IP address, yet the network owner of the IP range did NOT transmit the spam in question. How in the world could this possibly be? For an example of such anomalous behavior, consider a piece of spam that was recently sent from the IP 146.0.53.17.