I'm curious as to how other developers who have a web site with embedded email addresses deal with malicious use of such addresses.

Our company email address is embedded in the page source for the newsletter subscription script, which makes it available to address crawlers. It's also available on our corporate pages.

I’ve had to deal with people masking their identity using our address to spam others. And lately I’m being flooded with junk mail and have started receiving removal requests from spam victims who think junk mail is coming from us. The law is on my side for the latter, as it harms the company's image.

Have any of you had to deal with this abuse and, if so, how did you handle it? Are there any free or low-cost methods of preventing this? I'm curious as to how Dexterity deals with it (I've actually received junk mail from a dexterity.com address as well, so I know I'm not the only victim of fudged email headers.)

This is an ongoing problem, but we've managed to get a good handle on it. For a while I was getting several hundred email viruses and spams per day, so eventually I reached the point where I had to do something about it.

The first and most effective thing I did was to install an email spam/virus filter on our RedHat Linux server (Mail Scanner with Spam Assassin, both free). I set it up to automatically scan and delete any virus-infected emails sent to any email address at any of our domains. Bingo... no more virus-infected emails. Hundreds of these suckers are now automatically filtered out by our server every day. Emails that include certain file attachments, spam-like phrases, and certain header info are also automatically deleted at the server level, so I never see them.

Next, the server spam filters automatically flag any emails that are probably spam, and my email program detects this filter and sticks them into the junk email folder. I probably get around 20-50 of these per day now, but they only take a minute to scan and delete. They claim to be about 99% accurate, but I'd say these filters are more like 70-80% accurate. They catch almost all spam, but they have a lot of false positives. However, usually these are just notification emails like receipts that don't require a response anyway.

Another thing I did was killed off most of our public email addresses, especially the common ones that are easily guessed by spammers. So there's no more info@, sales@, support@, etc for our domains. I even killed off webmaster@ and replaced it with websitemaster@, and when that one gets too much spam, I'll rotate it again. Support@ got the most spam, so I killed that off too and replaced it with a simple online form. For certain popular defunct email addresses I added autoresponders that reply with a link to our contact and support pages.

Finally, I setup some last-chance filters in my email program to catch other spam that slips through the server filters. If I wanted to, I could also add these filters to the server, but some things are easiest to do on the PC.

The net result is that I no longer receive email viruses for the most part... perhaps one slips through each month, but that's a lot better than hundreds per day. And spam has been reduced by at least 50%.

Of course, installing Mail Scanner and Spam Assassin requires that you have root access to your server. Since we have a dedicated server, this isn't a problem for us. Setup was straightforward, and the benefits kicked in immediately. I can't imagine running a popular web site today without having server-level spam/virus filters.

There is a cunning little javascript thing that lets you display a mailto: link without the actual email address being written on the page (and thus detectable by spambots). I use it in the buttons that email me on my own site.
Can't remember exactly the site I got it from, but you can view my pages source.