So for my responsive site, when in the mobile-scale, I have an "Email Us" button that the user can tap to open up the email client.
Originally this was a simple mailto:, but I've since changed it, but as I wanted to keep the changes to an absolute minimum, I decided upon the following method:
Replace the "mailto:example@email.com with a link to redirect.php in my site directory. All that is in redirect.php is this:
<?php
header('Location: mailto:example@email.com');
exit();
?>
And it behaves totally fine! That was the only spot where the email address was present in the HTML or JS, so I felt like it would be overkill to do a complete encryption of the email.
So my question is this: Is this enough to effectively keep spam-bots out? If no, what extra steps are necessary?
Obviously you can't 100% stop them from happening, but I figured as the actual address is only on the server-side, that would significantly reduce the risk. Right?
The way you're doing it is not wrong and can help you a lot, however if you really want to kill spam the best way is to use a Captcha, even if basic.
If I were you I would try this method for some time and if you keep receiving spam, I would introduce a simple Captcha in a lightbox with a button asking if the user is human. If so the user would be redirected to your redirect.php
I think this way is simple for the user to press a button, for you to implement and would kill 95% of bots.
The correct answer to this question will always be no, as even if you come up with a new way of obfuscating your email address that nobody has ever used before, the bots will be modified to get around it eventually
I find that building the address with Javascript is still an effective solution, as crawlers generally don't parse javascript for various reasons