There are ways. You could use services like domaintools and get IP history if you did use any of the IPs in the past. You could get the IP from e-mail headers, if the website sends e-mails during registration, password recovery, etc. You could look for ways for a server to make a request somewhere and log its IP, like posting an image on a forum, some forums do that. And this is just off the top of my head.
Right, in most cases though those holes are easily plugged. When switching over to CF don't use an IP that was ever public-facing for your site, use distributed systems like Amazon SES for sending email, etc. I imagine the things you mentioned do go overlooked by some when fighting off an attack, though.
