If the cancel cannot be authenticated (e.g., because the original article lacks the "Cancel-lock: M2" header, or the cancel lacks the "Cancel-key: M1" header such that H(M1)=M2), then INN should forward the unauthenticated cancel to one or more "collection centers" so the author of the original article may be notified.
So if 70% of Usenet follows this scheme a handful of forged cancels can easily cause melt down.
Each "collection center" deamon should wake up periodically (say, every hour), group the collected unauthenticated cancels by message-ids of the cancelled articles, and e-mail the (distinct) addresses (other than "usenet@*" or "news@*") mentioned in the "From:", "Sender:", "Authorized:", and "X-Cancelled-By:" headers, quoting the unauthenticated cancel and the Path's as seen at many different sites that forwarded the cancels. This way, if the unauthenticated cancel is indeed forged, its author will see within hours that it has been fraudulently cancelled _and_ will automatically receive enough "Path:" samples from all over the world to see where it was posted, by comparing the "Path:" headers in several forwarded copies.
I can post a handful of articles and forge the From line, and create my own Cancel-lock headers by "rolling the dice." I can then get their mailbox bombed by forging cancels. A little more complicated then "sendsys-bombing" but not much more so. /r$