I received a call today for an interesting incident. Bear in mind that the customer doesn't have an incident response policy, but I think that is going to change. It seems a staff member received an "anonymous" email that, while technically not threatening, was certainly personal, mean and inappropriate.
The staff member forwarded me the email, with all relevant headers. Even though there was a "from" address on the email, I realized that email addresses can be spoofed. However, digging through the headers, I found an "admin"@company.subdomain email address. Thinking the website might have been tampered with, I perused the web sites directory. The site only has 20 or so static pages with one contact form. Thinking contact form, I contacted the webmaster to see how the sub-domain actually worked. After some digging, I learned that there is one script on the sub-domain that processes the contact form. Bingo. Looking at the contact form, email address is not required. So, I tested sending the form without entering an email address; and I was able to replicate the incident.
I am now working with them to fix two issues: 1) There needs to be a documented incident response policy, such that the client is protected. 2) The website needs to address how to handle submissions without an email address.
The security ball is rolling, so hopefully good things can come of the incident.
And, while we may be able to get the IP of the person that submitted the form, I'm not sure what that will buy us.