I was looking at adding some custom fields to registration and/or newsletter subscription and I noticed that the way my settings are allows anyone to be able to cause an email to be sent out. It’s just begging for abuse. I haven’t checked to see how robust the email sending code is, so I can’t say that spammers can’t use the subscription form to spam the world.
I checked the demo site, wondering if that newsletter box was only supposed to show in the account dashboard, but it is there on the main pages of the store as harry12bar says. I don’t their settings are for confirmation of email, though, so it doesn’t give the “confirmation email sent” message like mine does.
I really don’t see a good way to do the newsletter subscription. My client doesn’t want to pay for an autoresponder (I would just use Aweber), but we need to confirm the email address. I could take the subscription form off the main pages and only have it in the account dashboard, since he’s not allowing guest checkout either.
I’m tempted to just turn off the newsletter functionality and tell my client that I can’t ensure the security of it.