K K wrote: [..] > I'm hoping to find either a better and widely accepted way to handle > non-spam-related network abuse complaints (hacking, DoS, etc), or at > least best practices for triage on the huge volume of mail that comes > into abuse@, procedures such that the rare legitimate complaint about > non-spam network abuse can be routed to my team in a timely manner.
whois is the right one. But IMHO the ARIN whois is a bit limited and also odd, but that might be because I am used to seeing a different kind of data ;) In RIPE db we have a nice IRT (Incident Response Team) object which is meant for this, see amongst others: http://www.ripe.net/info/ncc/presentations/irt-tfcsirt6/sld001.html http://www.ripe.net/db/support/security/irt/irt-h2.html Next to that there is the 'abuse-mailbox' line which can be inserted with most objects, similarly to irt. These will at least allow your users to find you. Some of the tools out there that auto-spam abuse@ when they get a silly portscan use those fields, so at least you will get it at the right address and not at every other single address that is listed in whois. Greets, Jeroen
signature.asc
Description: OpenPGP digital signature