I mentioned the dynamic "to" because I read it here…
specifically the following…
"If you want to allow visitors to your Web site to contact you, provide an online form, and put the "send to" e-mail address in the form processing script rather than the HTML of the form itself."
unless they mean something other than what I think they mean.
And yes, captcha, security question and honey pot are all in place.
In retrospect I guess the email address doesn't appear in the html so dynamic generation would be superfluous.
Am I right or wrong?