Mentat

I am not sure how to solve some edge cases.

For example, for a given source address there is generated report A with event class 1. A few minutes later reporter generates report B with event class 2. One week later (after thresholding period ends) there is report C, which contains events with both event class 1 and event class 2. Now which report it should reference? Both? I don't know how will the mail agents behave when email references 2 unrelated older emails.

I'm afraid this won't work (correctly) for email references/in-reply-to. In theory, you can have arbitrarily complex digraph made of references in email, in reality the maximum clients can do is tree (threads). I'm afraid in case of ambiguity, the mail client will take the first (in an arbitrary client notion of "first") thread match and run away with it.

Relapse-treshold link could work in web interface, where class sections can bear a hyperlink to the original culprit.

I'm afraid the most we can get from mail threading is to link together the same IP within the "case open" timeframe and shrug it off.