K K wrote: [..]
I'm hoping to find either a better and widely accepted way to handle non-spam-related network abuse complaints (hacking, DoS, etc), or at least best practices for triage on the huge volume of mail that comes into abuse@, procedures such that the rare legitimate complaint about non-spam network abuse can be routed to my team in a timely manner.
whois is the right one. But IMHO the ARIN whois is a bit limited and also odd, but that might be because I am used to seeing a different kind of data ;) In RIPE db we have a nice IRT (Incident Response Team) object which is meant for this, see amongst others: http://www.ripe.net/info/ncc/presentations/irt-tfcsirt6/sld001.html http://www.ripe.net/db/support/security/irt/irt-h2.html Next to that there is the 'abuse-mailbox' line which can be inserted with most objects, similarly to irt. These will at least allow your users to find you. Some of the tools out there that auto-spam abuse@ when they get a silly portscan use those fields, so at least you will get it at the right address and not at every other single address that is listed in whois. Greets, Jeroen