What happens when someone fills in a contact form on a website?

I am trying to debug a problem on a website I am working on. The contact form doesn’t work. In my quest to find answers it occurred to me that I don’t even actually know what’s going on in the background in order to understand the sites that I’m reading for help!

So basically my question is: what happens when someone submits a form on a website?

I see that my hosting company has provided me a mail box with some arbitrary email address where the form submission gets returned to when it fails. Why? Do all form submissions actually come from this email address? What does PHP or SMTP have to do with this?

What does it mean to get an email from someone with a different actual sender?

I got a strange email and I just want to confirm my suspicions.

For background, I have my own email server which I set up using iRedMail on a VPS. I have an acquaintance who most likely has be on their address book, although I don’t have them on mine.

I got a highly suspect email with "Urgent! <acquaintance’s name>" as the subject, and a body that just said they need a favour. Looking at the headers of the email, I see that the Sender field is an unrelated university email address from another country, while the From field is my acquaintance’s name and a different email address than the one I had communicated with them in the past.

My hypothesis is that their account got hacked, the hacker stole their address book and is sending a scam to all of their contacts.

My fear is that my own server got hacked, or something. My email setup did not complain about this email even though I have virus scanning, and I expect that the regular checks (DKIM, SPF etc.) were done.

Can anyone confirm my hypothesis?

Is it possible to track someone using their mobile number in the UK?

This is something I’ve wondered for a while – is it theoretically possible to track someone using their phone number in the UK? It’s a classic Hollywood trope and I’m wondering just how much truth there is to it and how feasible it would be.

Doing some basic research returns plenty of services and apps that claim to be able to do it. For example, here:

Our location services use a variety of technology to locate a handset. Primarily we use cell-ID to locate a mobile phone to within a certain transmission cell. Accuracy is greater in areas of high population density (e.g. large towns and cities), and reduces as population density reduces (e.g. in the countryside)…

Our service will not work with landline numbers. It will only give the location of mobile phones registered to a UK mobile cell network. The service does not require the user to install any apps or other software. The service works cross-platform, which means it can work on Android, iPhone, Windows Phone, and older basic phones.

…and here:

So if you’re concerned about the location of your family members, want to know the location of your employees, find a lost phone, or want to track down a suspicious call, phone number tracking is as real as they show in the movies!

I also came across this which seems like it could be of interest.

Is it possible to track a phone using a UK mobile number, and if so, is it limited to corporate entities? How easy or hard is it to do for the average technologically capable individual?

Can someone explain the ‘IE No Open’ X-Download-Options Header, as enforced by Helmet.js?

I’ve been preparing to deploy an Express server using Helmet.js for some added security. I’ve been reading through their docs to make sure I understand what I am doing here, and I don’t understand one of their features:

“IE No Open”:

In short: this middleware sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context.

Some web applications will serve untrusted HTML for download. By default, old versions of Internet Explorer will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages. – from the Helmetjs docs

What do they mean by “Some web applications will serve untrusted HTML for download”? Is this referring to, say, if an img tag on my site was pointing to a file hosted by a CDN, or site that I otherwise do not control?

I consulted the Microsoft docs for clarity:

When the new X-Download-Options header is present with the value noopen, the user is prevented from opening a file download directly; instead, they must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection.

It sounds like this is talking about XSS, such as external file URLs (e.g. an image) that might try and execute malicious scripts on one’s site…but some of the nomenclature and diction used I am either not familiar with or simply do not understand (e.g. “they must first save the file locally” – like, the browser, or the actual user?)

Could someone walk me through a real-world example of the exploit(s) that this feature is trying to mitigate?