I'd appreciate any advice on realistic risks I ought to take precautions against on low traffic websites such as email address harvesting and bandwith theft, and what I should do to prevent problems.

Thanks.

Best advice I can offer on protecting against email harvesting is to not place email addresses directly on the pages. If you need to allow visitors to send email from the site, use web forms.

From what I understand, email harvesting is done by reading the content on a page rather than the underlying code. If you have a form that uses a perl or php script to send mail, then the email addy is embeded in the code of a non linked page/script and not visable on the site.

As for bandwidth theft/excess traffic, the most common instances are someone linking to a resource (image, script, video/audio clip, etc.) or just someone pointing traffic to your site. Most of this is done by people just linking to your resource in their code (i.e., <img src="http://yoursites.com/images/imagename.jpg">). I don't know of any real preemptive defense against this. Really all you can do is keep an eye on your bandwidth and make sure you have a decent stats system that can tell you where most of the traffic to your site is comming from. If you notice in your stats that 80% of your incomming traffic is comming from a specific site and is pointing to a specific file, then you should probably contact the owner/maintainer of the site and ask them to kindly stop leeching your bandwidth. If you're willing to provide them with the resource (and if it's yours to provide) then you can offer to give it to them so they can link it locally on their site.

Hope this helps

you can also create images of your email address and put that up there.

www.whois.sc uses a good method of securing email address via an image that is trickier for bots to figure out.

the problems with doing that are:
a - there are bots that interpret the images anyway
b - you should put an alt tag on the image which would end up giving them the email address anyway.
c - it would cut back on accessability by people using text browsers or visually impaired users.
d - there are a bunch of people with nothing better to do then to go around and manually harvest the email address so an image wouldn't stop them.

A note of caution about using web forms: make sure you use proper SERVER-SIDE validation when you use a mail script. Attackers can insert header injections into your fields to BCC and CC the email to alternate address with alternate messages.

I've written a tool to obfuscate email addresses in a way that bots don't seem to pickup on. Just laziness on their part but there are so many fresh emails to harvest elsewhere they don't need to work any harder. Seems to work though

The problem at whois.sc is that you can't click the images. No problem for their use but if you want people to contact you (ie and then spend money with your company) then that's not so good.

My solution is a good middle ground.

http://sarahk.pcpropertymanager.com/obfuscate.php