Get full email samples - forward them "as attachment" so all headers are intact. Look over the headers and determine the source IP for the initial email connections - they might be the same for multiple messages in the same batch - or will be from the same ISP. The MX Toolbox has a header analyzer that can help figure where they start from.
If the user is using a mobile device, this can present challenges - and if they sat in coffee shops to send this email you'll have a lot harder time ID'ing the user.
Once you have an idea what IP address(es) are sending these, then you check your VPN logs to compare the source IP's. This should be fairly easy and could directly finger your sender.
With these logs and some suspected source IP's, you might be able to figure out which user is doing this - even with ISP's using dynamic addressing, IP's are still held for weeks/months on networks - so this should hold up.
If the user is using a unique mobile service or a cloud emailing service - this can also be correlated to their mobile devices using DNS request logs. If they're using Google to do this, your lawyer could subpeona the user from them.
If the user is using a mobile device, this can present challenges - and if they sat in coffee shops to send this email you'll have a lot harder time ID'ing the user.
Once you have an idea what IP address(es) are sending these, then you check your VPN logs to compare the source IP's. This should be fairly easy and could directly finger your sender.
With these logs and some suspected source IP's, you might be able to figure out which user is doing this - even with ISP's using dynamic addressing, IP's are still held for weeks/months on networks - so this should hold up.
If the user is using a unique mobile service or a cloud emailing service - this can also be correlated to their mobile devices using DNS request logs. If they're using Google to do this, your lawyer could subpeona the user from them.