Jim,

Sanitized, I can share the text of a form message composed by someone I know and respect.

I agree with Paul: pursuing these in far-away places is often a no-hoper. OTOH, if you can automate the process, sending these to ROC or Katmandu can't hurt. *Definitely* worthwhile sending these to ISPs and operators closer to home. I agree that it is really a responsibility. Just like calling the cops when you witness a burglary in progress.

Jim

Example:
==================================================================
To: abuse @ foo.com
Subject: SECURITY: Network attack from xxx.xxx.xxx.xxx

Hello abuse @ foo.com.

At about Oct 14 13:56:35 2004 PDT, Pacific Time, someone attacked our network from xxx.xxx.xxx.xxx, which is (according to ARIN) under your technical and/or administrative control.

We acknowledge that the host in question may have been compromised by someone outside of your organization, in which case the system administrator for the host at xxx.xxx.xxx.xxx should be notified that their equipment is being used for unauthorized, if not criminal, purposes.

We keep our log files for up to four weeks. If you have any questions, please contact us at 999-555-1234, Mon - Fri, 8am to 5pm Pacific Time.

There may be some extracted log data below.

Please acknowledge receipt of this message. Thank you.

--
Your Name Here
Official-Sounding Title
yourbigdomain.com

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Oct 14 13:55:19 ourfirewall sshd[16702]: Did not receive identification string from xxx.xxx.xxx.xxx
[lost of other incriminating log file stuff here.....]