As a prototype report, information shown is for illustration purposes only and may not represent actual spamming activity.
<abuse type>: <abused resource>; <complaint target> <abuse specimen> A spam that went through 2 relays from a dialup and advertised 3 URLS might have these lines above the spam sample: SMTP-Relay: 10.2.3.4; abuse@isp.kr SMTP-Relay: 10.4.5.6; abuse@isp3.jp SMTP-Source: 172.17.18.19; abuse@uu.net.th Header-Mail-Address: dropbox@mail.com; abuse@outblaze.com Body-Mail-Address: bigmoney@yahoo.com.ag; abuse@yahoo.com.ag Body-Mail-Address: remove@eudoramail.co; abuse@eudoramail.co Body-URL: http://spamhaven.rackspace.net/pornpage?refid=abrunner; abuse@rackspace.net Body-URL: http://spamhaven.exodus.net/pornpage?refid=abrunner; abuse@exodus.net Body-URL: http://spamhaven.idt.net/pornpage?refid=abrunner; abuse@idt.net Sender-Incident: 1234356; spamreporter@mydomain.tld Related-Incidents: 234567,98765,233445; abuse@uu.net.th Related-Incidents: RT-0012,RT-0987; abuse@rackspace.net
This would provide each target ISP with everything they need to know about the reasons they are getting the report. If the report is misdirected, there is a clear reference for each target to use to redirect the report properly (for example, if there is a downstream responsible party) or just bounce it (for example, if the reporter flubbed a ARIN lookup.) In some cases handling could be fully automated. For example, a provider of mail services could take the relevant lines ending in their abuse address, parse out the email addresses, and determine whether they were ever valid, and dump the complaint with a bot response selected for whether the address was fully fake or if it is a recent corpse. ISP's with gray hats could even automate the gems like "We only prohibit spam from our own network, not spam advertising sites on our network."