The suspect list has been narrowed down to a handful of admin.
My first inclination is to send different (juicy as it were) information to different people coming from a teacher unaware of the situation and claim that I accidentally used bcc instead of cc and apologize in an email sent to all the admin staff for "my poor use of tech", thus lessening the suspicion of misinformation. This would hopefully entice the perpetrator to share some identifying info in their next email.
What do you think is the best course of action?
I know this is weird, but there are a lot of people here who are smarter than me and I figured it was worth a shot.
If the user is using a mobile device, this can present challenges - and if they sat in coffee shops to send this email you'll have a lot harder time ID'ing the user.
Once you have an idea what IP address(es) are sending these, then you check your VPN logs to compare the source IP's. This should be fairly easy and could directly finger your sender.
With these logs and some suspected source IP's, you might be able to figure out which user is doing this - even with ISP's using dynamic addressing, IP's are still held for weeks/months on networks - so this should hold up.
If the user is using a unique mobile service or a cloud emailing service - this can also be correlated to their mobile devices using DNS request logs. If they're using Google to do this, your lawyer could subpeona the user from them.
You won't see anything, just that it was sent from gmail and protonmail. They don't insert the user's IP address in the headers.
Not through web interface at least.
Sometimes when you reset an email account password it will tell you a part of the recovery email if there is one. This could be a clue.
Send an email to one of the emails used by the perpetrator while in a meeting and see if any of your staff reacts.
If you have access to the routers, compare device names of people logged on while the emails are sent out (if they’re sending in the building).
Are any of your staff using protonmail as their main email provider? Search slack for any discussion or snippets with proton emails.
Does downloading the parent email list cause a log to trigger?
While in a meeting speak as normal and then when you mention something that is slightly gossipy, observe whose eyes widen or body language changes.
Simply speak to your staff and determine whether they are happy in their positions. This is good practice anyway.
Don’t be obvious.
It appears that the individual is using their phone to log into the company email, so there's no trail coming from the school routers or email account.
I hadn't thought about trying to trigger the reset notifications. I'll look into that.
We have a few people in mind, but with no actual proof the school is afraid of taking steps due to litigation based on "unfounded accusations".
You are correct that the only way to catch the person is unique information sent to each one - the best way to do this is to register a domain for a website that looks like something close to an official school website. For example, if you are "school.com", you can try something like fileshare-school.com. The backend for the website then automatically sends out unique information based on a fingerprint of a user, including IP address. Ive used AWD Lambda+API Gateway for this cause its free and you get the full http request when you do http passthrough. Then you send the link through an email to everyone and see if the person takes the bait.
Its less precise, but it could get your pool narrower. Bonus points if you fake a login page that looks like the schools one, as it will get you the exact person.
If there's some kind of staff site/portal/whatever with authentication, send them a unique link and somehow trick them into clicking it?
https://www.canarytrap.com/what-is-a-canary-trap/
"Each summary paragraph has six different versions, and the mixture of those paragraphs is unique to each numbered copy of the paper. There are over a thousand possible permutations, but only ninety-six numbered copies of the actual document. The reason the summary paragraphs are so — well, lurid, I guess — is to entice a reporter to quote them verbatim in the public media. If he quotes something from two or three of those paragraphs, we know which copy he saw and, therefore, who leaked it ... You can do it by computer. You use a thesaurus program to shuffle through synonyms, and you make every copy of the document totally unique." - Patriot games https://www.businessinsider.com/nba-canary-trap-media-2014-1...
If any of the future emails include one detail over another it's likely it was that person. Repeat 3-4 times until you can establish a trend. If you send newsletters or weekly emails specifically start tweaking the emails your suspects receive. If/when LE can get a warrant signed on any of the used accounts they'll easily be able to find the person.
If you send out any images you could steganographically hide a watermark in an image if the person leaks it, even if its just your orgs icon or signature. Or modify one pixel then hash the image for each of your suspects.
"Here's our new classroom design (Please don't share!)" https://www.openstego.com/
You could also probably try to phish the person. If your school has Knowb4 or a similar software there are hundreds of convincing templates, if you don't contact a couple companies and ask for samples or take a real spam sample you've gotten. Replace the hyperlink with something you've hosted and just rip the files from the real website. Fake password has been changed, Complete survey to win $50 gift card, etc.
Best of luck!
I think something where you say "whoops!" afterwards is a little obvious.
Is there no access log for the parent email list?
Another approach, more technical, could be to analyze the headers of the defamatory emails. Email headers contain metadata about the email, including the originating IP address. This could potentially help identify the sender.
Lastly, involve your school's legal team or local law enforcement, as they might have more resources and expertise to handle such a situation.
As an aside, the Humble Bundle Choice releases were being reliably leaked. Until this month ... https://redd.it/1bqpp2l - so I suspect HB did the same, and carefully distribued info to establish the mole's identity.
Their email: Shitty, defamatory bullshit.
Your posts somewhere: Factual, complete, respectful, never mention that it's a rebuttal.
Also, track everything, search up local laws, find some way to notify the perpetrator that their criminal count is rising:
1. Theft of the email list.
2. Violation of any legal obligation they have to respect student privacy, non disclosure agreements, etc.
3. Defamation which may not get them charged criminally but could get them sued.
4. Multiple counts of defamation and libel as each email tells lies about presumably different people.
5. If there is anything remotely sexual in any of it, go over all laws pertinent to sex offenses.
Try to find some means to notify parents they should not trust the info from this source, you are doing what you can to stop it, each email sent likely adds counts to what they can be charged with and you need help tracking it for legal purposes.
A lot of people get told to delete offensive emails from stalkers for their mental health. It de facto destroys evidence and helps cover up the crimes.
Provide people a list of best practices for dealing with social aspects of the issue. If an email says "Sally is a slut!" do not argue about Sally and her sex life. The correct thing to do is remind people this comes from a malicious actor, it's untrustworthy information intended to hurt Sally and her sex life is no one's business.
Rinse and repeat: "This is intended to be malicious. The source is a thief who is likely a disgruntled employee. Their actions amount to career suicide. It's only a matter of time before we identify them. Until then, any information from this channel should be disregarded."
Less personal info that is more relevant to school function:
Perp: "The school is pissing away money for stupid reasons!"
You: "This is our budget. This is why it gets spent that way. Sad that things are so expensive but doing x instead of y fails to achieve the desired result."
Real world example: A school in a hot, humid place turned off AC all summer while school was not in session to try to save money and came back to a rampant mold problem that they couldn't afford to remediate. Turning off the AC was penny wise and pound foolish.
As much as possible, do not mention the malicious email campaign when publishing accurate information to keep people informed about what's real.
When it's over, assess what parts of this information campaign you want to continue with because it was unexpectedly beneficial to inform people.
Best of luck.
Replying to them is giving them the attention they want. Rebuttals will just invite public arguments. Definitely deal with the problem, but do it quietly, in the background. Do not engage.
Do keep in mind that if it becomes public debate, your most and least vociferous are both potential candidates as the author. Even someone very vociferous and seemingly on your side may actually be your troll doing all they can to keep the discussion going.