Latest Change set(XML provider, default theme), spammer can add "itself" to the <notification> area of a blog post

Dec 12, 2009 at 3:37 PM

I'm using the latest change set, 31069.
Comments set to manual moderation, XML provider, default theme, IIS 7.

If a spammer checks the "Notify me when new comments are added" checkbox and posts a comment, and I go and delete that comment, then if I look at the corresponding .xml file of that blog post, the spammer had added himself to the <notification> area. This is not quite desired behavior I would say, it should be allowed an user to be added to the <notification> area only after its comment was approved.