Okay, I think I have this fixed. I went and grabbed this plugin:
http://wordpress.org/extend/plugins/wp-security-scan/
and ran the scan. I discovered that some of my directories, including my /js directory, were dangerously writable. I used my FTP client to change these directories to the correct file permissions.
That seems to have fixed the error, the spam is no longer showing up.
Something similar has happened to me. Since I upgraded to 2.8, posts for my main RSS feed have been showing up as spam in Google Reader. However, the feed works fine in Bloglines, and not everyone is seeing it as spam.
As far as I know the site is not hacked. I am checking the files now. Can anyone help?