Spam bot subscriptions through disabled subscription form


I’m using a phplist signup form that uses it’s own verification methods and subscribes users using curl (fork of old WP plugin). I’ve also disabled the display of the signup form in phplist (by commenting out the display of “subscribelip.php” in index.php/around line 260).

Still, a couple of what appear to be spam subscriptions manage to get through using the form, according to the database entry “signup page”. How is that possible? I know for a fact they’re not using the form on the web page since it has additional required attributes that are not mandatory on phplist’s subscribe form (which is not shown, as explained above), and these fields aren’t filled out for those subscriptions - these subscriptions are never confirmed by email, of course, but they’re an annoyance.

This is really confusing me, thanks for any idea!