I wouldn't use this for security reasons (not to mention that it may not foil a decent spider because it does eventually produce the correct mailto: URL).

Use the CGI interface to get the parameters from the URL rather than $ENV, especially since you're pulling in the module anyways (I see this is much better now).

Use taint mode, just to be safe-- and I see that it's there, but you are untainting almost anything that might get passed in.

Don't allow non-word characters in your input variables-- they aren't necessary in an email address are they?

You don't even need to put the domain as "foo.com", just "foo" will be fine, then you can append ".com" in your script.

Final thought: why even allow for input variables... this is the cause of the security problems. Why not just hardcode your own address into the script, so that the rest of us will not start pointing to your script for our own email addresses?