There's really nothing that can be done as it is happening server-side. (I crapped myself when I read the first email thinking that my machine may have been compromised. It was a relief when I found out it wasn't.)
If you found an exploit for Wordpress, then you might be able to do something about it depending on the severity. But in all likelihood, you could only do it for a site that you control, and not for all Wordpress sites, which makes fixing the problem illegal irrespective of the scope, so why risk jail to fix the problem just for yourself?