The problem with most current methods of spam-proofing is that they are designed from a web designer’s point of view rather than a programmer’s, and they are perhaps too influenced by our thoughts about spammers. When a web designer looks at a string of “mailt” he sees confusion, and when he thinks about spammers, he naturally thinks of morons. The problem is that although spammers certainly are morons (otherwise they wouldn’t offer to enlarge both my breasts and my penis), spam harvesting bot authors aren’t morons. For the first month or so after someone thought of it, entity or hex encoding your email address, or just the @ like Movable Type does in comments, probably worked pretty well. However, once you tell the world about it, to a spambot author that string looks like she needs to write another couple of functions to decode hex- and entity-encoded urls, and a couple of regular expressions to capture the words on either side of @ and %40. Hidden by a document.write? She’s not parsing the source for working links, she’s just looking for text on either side of an @ that might make an email address. If you want to hide from her, you’ll have to do something that she can’t write a regular expression to capture.
Unless someone can see a problem with it, I think I’ve got a solution that will hide the address from harvesters, work reasonably transparently in most browsers, and still be fairly accessible.
First, you need to get a disposable address, one that you can happily and easily discard if it gets harvested. I favor Spam Motel, which lets you create any number of disposable addresses, and forwards any mail they receive to you until you delete an address, but there are other options (even a Hotmail or Yahoo address would work).
<head> section of any page where you want an email link, to assemble the pieces of your address:
Then, to create an email link, combine your Spam Motel address with obfuscate_email():
<a href="mailto:ZFBEKDVXGNRB@spammotel.com" onclick="this.href=obfuscate_email();" onMouseOver="window.status=obfuscate_email();return true;" onmouseout="window.status='';return true;">email me</a>
One other thing to consider about spam-proofing: I’ve had my @barrysworld address completely available in quite a few pages for around a year now, and I still get less than one piece of spam through it per week. On the other hand, the work address I just got rid of, which was available in a web page several years ago, was getting thirty or forty spams per day. I suspect that there is a whole lot less harvesting, and more reselling of the same old addresses, these days.