Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
I'd also suggest encoding parts of the "mailto:" prefix so that this doesn't become the weak part of the system...
Otherwise your best bet is to not show email addresses unless the user registers or deal with it the FriendsReunited does and don't actually expose the email addresses on the site but instead act as a trusted 3rd party which establishes communication between the two people.
I made a clickable link to a contact form and passed a var that represents the targeted user. I don't let the user fill in a 'To:' so the form is useless to anyone that might try to utilize it as an open emailer. When the form is submitted the form handler does a lookup using the var I passed for the actual email address. It formats the email and sends it on.