Quite apparently, without confirmation e-mail, even if you use some mail address internally, to forward post data to you via main, you never expose this mail address.
And if you write e-mail confirmation, you apparently expose some address, from/reply-to one. The customer can actually send a mail.
Now, simple logic should show you: you have the only reason for this message to be a mail is really want those mails from the users. And, set aside possible mail harvesting, those people can spam themselves or cell your address to spammers. Your choice. Sometimes you really want them to write mails to you, but then deal with consequences.
If you don't need that real mail messages from customers, you don't need sending them confirmations. Why sending a confirmation to some presumably "no reply" address? (If you never read those mails, you can automatically redirect them nowhere, but why receiving them at all? :-)). You could simply form a temporary Web page (just HTTP response, show user information and other message detail) and write "this is what we received from you". Really received. The only additional confirmation a mail can give you is that the user's mail address is real. Now, think thoroughly, why would you need to know that? I'm serious. You will know that only when a user actually send you a mail message. But then some your address is exposed. Now, think thoroughly. Let's supposed the user's mail address is fake. But then you will never know the real address anyway. You can safely assume it's real. It's only needed when you want to write to this user, not through automatic confirmation. And if the address is fake, you cannot do anything with it. All you need is simple logic. Have I missed something?
But now, if you want those messages (not mail messages, but HTTP posts) from users, you have to read those posts. As an alternative to mail, you can simply collect message data on server, clean unwanted messages, and so on. My experience shows: spam on HTTP post does exist, but it always orders of magnitude less then mail spam.
By the way, mail address harvesting is not the only possible exploit, and not the worst. If your scrip is not carefully written and does send mail, a malicious artist can turn your own host into a zombie sending spam, in no time. This is my explanation of this simple exploit, from real life:
unable to send mail , it showing the error in below code .[
^].
You also cannot really rely on mail tracking:
Regular expression form email validation not working[
^],
Email tracking — Wikipedia, the free encyclopedia[
^].
—SA