I work at an international school and an incident has recently arisen. A disgruntled employee has downloaded the parent email list (thus the thievery) and is sending defamatory emails a few times a week based on meeting minutes and general gossip. The individual is switching emails each time (they are using protonmail and gmail accounts). I also suspect that they are using an AI language filter or some sort of program that alters writing style.
The suspect list has been narrowed down to a handful of admin.
My first inclination is to send different (juicy as it were) information to different people coming from a teacher unaware of the situation and claim that I accidentally used bcc instead of cc and apologize in an email sent to all the admin staff for "my poor use of tech", thus lessening the suspicion of misinformation. This would hopefully entice the perpetrator to share some identifying info in their next email.
What do you think is the best course of action?
I know this is weird, but there are a lot of people here who are smarter than me and I figured it was worth a shot.
If the user is using a mobile device, this can present challenges - and if they sat in coffee shops to send this email you'll have a lot harder time ID'ing the user.
Once you have an idea what IP address(es) are sending these, then you check your VPN logs to compare the source IP's. This should be fairly easy and could directly finger your sender.
With these logs and some suspected source IP's, you might be able to figure out which user is doing this - even with ISP's using dynamic addressing, IP's are still held for weeks/months on networks - so this should hold up.
If the user is using a unique mobile service or a cloud emailing service - this can also be correlated to their mobile devices using DNS request logs. If they're using Google to do this, your lawyer could subpeona the user from them.