Hey There,
You posted a very interesting topic, although you have already finished the script from figit, or whatever it was, you just handled a real difficult topic. I have been able to use PHP to write the security images, however, I have also been able to use remote JavaScript, which is obfuscated to the robot or SPAM bot, and this sets a cookie that I am able to pick up apon after the script has gone to the CGI bin. However, a new and better technique is to use an AJAX based email form, if you use deep rooting, ex. ../../../forms/email.html, then pop the AJAX email form over the page by using an empty div and writing the innerHTML via Javascript, to pull the email page into the original page, the robot will get confused. It won't be able to send an email via your form, because it won't be able to find the form, which in essence is in an empty div in your html. This is a flawless technique, until the robots get smarter and begin to follow AJAX paths. However, going back to the obfiscation, if you use a javascript obfiscation program prior to the launch of the page which is making the AJAX call to the email form, you will undoubtedly never become prey for the SPAMbots again, and AJAX is fun to use as well.

This was long and confusing. I just wanted to say that their is another non-PHP technique as well!!

-Scott
San Jose