How about using SMTP AUTH and verifying the envelope MAIL FROM to match the actual user authenticating?
that doesn't work if you have more than one email address.
You should know all your users email addresses. It shouldn't be too difficult to match the 'mail from' address with the user account. The only caveat would be that joe@hotmail.com would actually have to use the hotmail smtp server to send mail.
This will make SPAM traceable and hopefully ultimately users aware that their PC is sending junk.
auth is sufficient to make email traceable to your own customers.
And how is that? There isn't necessarily anything in an email indicating that it originated from an SMTP AUTH authenticated user. While a header could be added, it isn't a mandatory thing. Adi