Let me stress that this is NOT a fault in WP 2.3. I had this in 2.1. It's just that most everyone has upgraded and since their upgrades are new and this phenomena is new, they assume that they are connected. They are not.
My web host now has a post on their pages saying that not only WordPress but also Joomla and other CMS systems have been targeted in the same manner.
They say that in most cases it is because the file configuration.php has been readable and even in some cases writable by others.
I have now changed the permissions to make it unwritable, but WP doesn't work at all unless this file is readable to all. It needs to be at least 444. This is as you all know where the database password is openly written, and the database is where the links to the spam has been entered.
My host's web page goes on to say that we need to change the MySQL password for the database. This I have done, but the new password is just as openly written in the config file as the old one.
They also say that it is a good idea to upgrade to MySQL 5.x, but I don't know if WP will run smoothly on that? I remember there was sometalk about that a while ago, but I cannot find anything now.
I'm starting to think that it's a weakness with the very construction of the WP configuration file system, having a password written in plain text like that. Someone has finally figured out how to make use of it and this can be the beginning of many other more serious attacks.