If you read Molloms API documentation you can see that some calls have an (optional) parameter called author_ip. In PHP Mollom the IP-address is set automagically, so you don’t have to worry. But the variable I used could be spoofed.
As you know getting the right IP-address is not that easy. If your application is running behind a reverse proxy $_SERVER[’REMOTE_ADDR_HTTP’] contains the reverse proxy’s IP. Or if your application is running on a cluster setup the clients IP-address is storred in $_SERVER[’HTTP_X_CLUSTER_CLIENT_IP’].
But both of these variables can be spoofed by spammers, so we are not sure these values are right. So PHP Mollom needs to know the allowed IP-addreses for the reverse proxy’s. I build in a function Mollom::setAllowedReverseProxyAddresses that accepts an array of allowed IP-addresses.
Please update your applications with the new version.