Hi, I'm the author of the CyberAbuse whois, which is a tool that catches the "most suitable" abuse contact email for a specific IP/host by searching in the RIRs whois result. It's security and network abuse oriented... it's used in many CERTs or IRTs. I understand there's a new (and long waited for) abuse-mailbox field that my program should catch in the RIPE db. I'd like to know what would you recommend as the behavior for catching the "best possible" abuse-contact in the RIPE db. Here is how the cyberabuse whois used to work (for RIPE) : 1 - search for an IRT object (mnt-irt), if one exist, go catch the associated e-mail 2 - search for an email in all the remarks/trouble/descr fields with the abuse/security/cert/csirt string in it 3 - search for the admin-c's email, if any 4 - search for the tech-c's, if any 5 - search for the first email found I think I'm going to add a search for the abuse-mailbox field between (1) and (2). Is this how you would do it ? Any other comments/suggestions ? Sincerely, Philippe Bourcier