The mailing list program ezmlm does use the Return-Path from the mail as the address to subscribe and the one is sends the confirmation mail to. The Return-Path is the SMTP envelope sender set with the MAIL FROM command. You usually can't forge this on Unix machines when going through the sendmail process. You can set this when talking directly to the SMTP server but many SMTP servers have limitations on what address they accept. If you are talking to your own mail server, you can configure it to accept these messages but make sure you don't allow your mail server to become a spam relay.

I would argue that ezmlm's behavior is wrong. It should use the From: header to determine the address to subscribe. Its behavior inhibits what you are trying to do of generating a subscription message on behalf of someone else. By forging the Return-Path all bounces messages will go to the user. They really should go to an address that you look at. It doesn't provide any extra security from forgery or spam because the return-path is as easy to forge as the From: header.

You probably don't have any choice in which mailing list program you are using. If you have control of the mailing list, you might want to check if there is some way you can change this behavior. Or if there is some way to access the subscription process.