Yes, you could do it the other way and wait until the three day window expires. There are two reasons to do it before.
1. It's less bug-prone. If you forget to increment the counter later you have a big problem. But if you forget to decrement the counter later you are only in a little bit of trouble.
2. If you get a flood of notices about a user before the three day window expires, you probably have an obligation to disable the account.
About a DOS based on bad-faith notices, this does less business harm to you than a failure to act.
That said, I agree that decrementing the counter needs to be covered. I'll treat that as a bug report and look for a fix.
1. It's less bug-prone. If you forget to increment the counter later you have a big problem. But if you forget to decrement the counter later you are only in a little bit of trouble.
2. If you get a flood of notices about a user before the three day window expires, you probably have an obligation to disable the account.
About a DOS based on bad-faith notices, this does less business harm to you than a failure to act.
That said, I agree that decrementing the counter needs to be covered. I'll treat that as a bug report and look for a fix.