Morning Johnny
Okay, so here's how it works ..
Records are stored in records table, they have the following fields
rid - record identifier
hid - host identifier
email - email address
hostname - hostname that hid is hosting
address - ip address of client
country - optional ( I will fill in the blanks with GeoIP, you can send this information if you have it
created - timestamp for creation date, indicating this rid concerns a creation
deleted - timestamp for termination date, indicating this rid concerns a termination
suspended - timestamp for suspension date, indicating this rid concerns a suspension
unsuspended - timestamp for unsuspension date, indicating this rid concerns an unsuspension
criminal - integer ( boolean ) value indicating if rid this record concerns is associated with criminal activity ( that includes breaking TOS, they are a legal contract bla bla bla )
notes - these could be generated or written, doesn't matter, no standard format, if you have something useful to say and a way to say it then include it for the benefit of other people
When you call record.create, record.delete, record.unsuspend, or record.terminate, it creates a new record with unique rid ( and returns it ), the timestamp is stored in the appropriate column.
Keeping records seperate means hosts can manage their own stuff with record.sync and record.remove, record.remove physically removes the record from the database, record.delete indicates a termination event.
if you search.* for records, if any of the records returned contain a criminal member that is true, you know there's something going on, especially if the records returned contain multiple hosts, enough host information is returned in each record, such as the hosting type, if they are paid, their hostname and their internal id, for you to make an automated decision ...