Simply repeating a POST to http://<yoursite>/magento/newsletter/subscriber/new/ with POST data “email=<victim>@<mail_domain>”. I’ve easily tested this with http://demo.magentocommerce.com/
Issue #9600 is about some newsletter subscription security problems like this, but issue tracker seems not to work!
In my opinion this could be acceptable once, but never if (1) we have a pending answer from <victim>@<mail_domain> to confirm subscription or if (2) <victim>@<mail_domain> corresponds to a client of the shop who has stated not to receive the newsletter.
Please, any good solution (not based on template masquerading or such) would be very appreciated! I’m trying to open a shop but antispam laws in my country and this error will force me to disable the newsletter.
