What I'm after is a means of automating tracing for abuse complaints.
me too. but I don't see how we can do that without providing
non-repudiation.
It is not clear to me that by "hash" you meant digital signature, but
clearly you need a signature for non-repudiation.
you have to have something to sign that is derived from the message in
a repeatable fashion. actually it's not the hash function that needs
to be defined (SHA-1 would work fine), rather, it's the
canonicalization function that is applied to a message before computing
the hash.
otherwise it becomes easy to DoS somebody by forging mail as if it
were from them and generating lots of complaints about it.
We need to be careful to avoid getting too wrapped up in DoS attacks.
The problem is that it's possible with or without a hash and a
signature.
yes, but once the complaint systems are automated then attacks on a
sender using fake reports of abuse from that sender become more
feasible. and chances are the complaints that have originator-id
fields are the ones that will be automated.
one nice thing - if the complaints themselves are required to have
verifiable originator-id fields then attacking a user by sending fake
abuse reports exposes the attacker :)