injection spam

I’ve upgraded to v2.3.3 which closes a security hole that was permitting spammers to “inject” spammy links directly into posts via xmlrpc.php, and thereby avoid the “nofollow” attribute that is automatically applied to links in comments (ie, the usual mechanism to deprive comment spammers of the PageRank mojo they seek). The spam was surrounded by “noscript” HTML tags, which meant that they were invisible in the browser, thus hiding the links from detection and removal. However, since RSS feedreaders do not interpret javascript, the spam was revealed, and I am grateful to Dave and to Gothmog for alerting me to the problem.

If you have a WP blog you should upgrade ASAP to the latest version. FYI to all the otaku blogs I link to on my blogroll here, I have not noticed any spam links via your feeds, though I am a bit behind on my reading. You all should upgrade asap.