Due to enormous amounts of spam on our public email addresses, i.e. firstname.lastname@example.org, we're going to ask the public to communicate with us only by form.
Rather than use any kind of Matt-Wright-like solution, we're thinking we'll have a form where the recipient of the form is not visible in the source code, but only a lookup code for it.
So the form, rather than saying
<input type="hidden" recipient="email@example.com">
will just have something like
<input type="hidden" recipient="12345">
and the actual email address will be looked up based on that key.
Is there any remaining security/spam issue, assuming that we also check that the form was submitted from one of our servers?
Obviously if someone goes to the trouble of spoofing our IP or domain, they can still spam me by imitating the action of the form, but apart from that, am I missing something?