I'm using the latest change set, 31069.
Comments set to manual moderation, XML provider, default theme, IIS 7.
If a spammer checks the "Notify me when new comments are added" checkbox and posts a comment, and I go and delete that comment, then if I look at the corresponding .xml file of that blog post, the spammer had added himself to the <notification>
area. This is not quite desired behavior I would say, it should be allowed an user to be added to the <notification> area only after its comment was approved.