The organisations that have this down to a fine art are the global Security-As-A-Service companies. They are the only players big enough to hook into ISP's, Fortune 350's etc. They also work well with organisations to understand their asset register - helping weed out the attacks that might be real.
If you don't use one of them to manage your perimeter security, the workload to identify attacks at the perimeter needs to be passed off to scripts or devices in the main part - for most organisations there are just too many attempted attacks.
If you can implement a perimeter device to drop basic attacks this should take care of general port scanning. The types of abuse you might detect inbound from that device that aren't useful to report include exploit attempts which don't match your infrastructure (eg Windows attacks against Unix machines), brute force attacks etc.
If an attack comes from a registered corporate you may have luck - eg reporting to HP's abuse contact can get very quick results - as big companies don't want the legal ramifications of dealing with a computer they own being implicated in an attack.
------- so much for the good stuff -------
Finding out who to report to is a major issue. Look up ARIN, RIPE or your regional equivalent - You'll find that the whois records for 'bad guys' are unlikely to be correct and in any case a large number of automated scans and attacks come from compromised home computers or botnets so while you may have a contact at an ISP, they may have no power to do anything. They might have outsourced subnets to other ISP's anyway, or they may just not want to be involved.
From experience, you are much more likely to get action if you are a security person working for a Fortune 350, failing that you must expect bounces or ignored communications. The way round this is often to contact their CEO, CISO or Marketing Director :-)
In terms of information to include - the log and any timestamp offset information are the key items to pass on.
