Ok, what some people already wondered seems to happen. Although I did not find the flaw by myself it seems this blog is hosted with a widget that has a security problem. For now I disabled the widget but it does worry me.
WordPress.com offers a widget to show what users are clicking on (outside/inside links from your blog). This morning I found that it showed links to some evil medical sites and posted about it at the forum. The links are not posted on my site but it seems the blog spammers found a way to bypass the module.
Some 12 hours after that nobody seems to pay attention, not even on irc. I sure hope I do not need to switch back to blogger.com.