Fwd: 👉 [New Releases] AskAI Blogs, Smarter AI Agents & Quiz Customization

New releases that make content creation, AI agents, and quiz results work harder for you:

• ✍️ AskAI Writes Full Blog Posts: Generate complete, structured blog drafts from a single prompt without leaving HighLevel

• 🏠 Rental Listings Copy via Snapshots: Replicate fully configured rental setups across sub-accounts in a few clicks

• 🧠 AI Agent Searches Your Knowledge Base: Agents now pull relevant context at runtime instead of relying on bloated static prompts

Read now 👇

 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

GHL News New releases that make content creation, AI agents, and quiz results work harder for you: ✍️ AskAI Writes Full Blog Posts: Generate complete, structured blog drafts from a single prompt without leaving HighLevel 🏠 Rental Listings Copy via Snapshots: Replicate fully configured rental setups across sub-accounts in a few clicks 🧠 AI Agent Searches Your Knowledge Base: Agents now pull relevant context at runtime instead of relying on bloated static prompts Read now 👇

Ask AI Now Writes Full Blog Posts for You Ask AI inside HighLevel can now write full blog posts from a single topic or prompt. You get structured headings, web-informed content, multilingual output, and the ability to reference URLs or images, all without leaving the platform. That means less time assembling content and more time actually publishing it. Here is what this opens up right now: Full drafts, fast: Ask AI builds a complete structured blog post from just a topic or prompt. Smarter context: Web-based references and URL inputs help the content stay accurate and relevant. Global-ready content: Generate blog posts in multiple languages to reach audiences wherever they are. ideas.gohighlevel.com Email Tweet

HighLevel Snapshots Now Copy Rental Listings Instantly HighLevel now includes Rental Listings and Categories when creating or loading Snapshots. That means you can copy a fully configured rental setup from one sub-account to another in just a few clicks, without rebuilding everything from scratch each time. Here is what this means in practice: Listings transfer: Configured rental listings copy over to the destination sub-account automatically. Structure stays intact: Listing groupings and organization carry over exactly as set up in the source account. Full control: Rental assets can be selected independently, so you choose exactly what gets copied. ideas.gohighlevel.com Tweet

Stop losing leads to unread emails and ignored SMS. Turn Your CRM into a Blue Bubble Machine With BlueSendr, you can send and receive native iMessages directly inside your CRM — no A2P, no message fees, no extra phone line. Here's what you unlock: 📩 Real iMessages (blue bubbles!) — read receipts, typing alerts, rich media 🔁 Bi-Directional Sync — every convo auto-logs to the CRM 📱 Use Your Existing Number — skip carrier headaches ⚡ 98% Open Rates — reach customers where they actually respond 🚀 Set Up in Minutes — connect Apple ID → link CRM → start closing Join 1,000+ fast-moving teams and turn conversations into revenue. Start Sending or Request a Demo

AI Agent Now Searches Your Knowledge Base Automatically The AI Agent action in HighLevel can now search your knowledge base directly during a conversation. Instead of stuffing your prompt with FAQs and pricing details, the agent fetches exactly what it needs, when it needs it. That means cleaner context, fewer tokens, and sharper answers. Here is what this changes right now: Smarter retrieval: The agent pulls only relevant knowledge base chunks at runtime, not a wall of static text. Flexible queries: You can set a fixed search query or let the agent decide what to look for based on the conversation. One source of truth: Your business details live in the knowledge base, and the agent taps into them on demand without duplication. ideas.gohighlevel.com Tweet

HighLevel Lets You Customize Every Quiz Result Category Personality quizzes just got a lot more useful. HighLevel now lets you customize the result page content for each individual category, so someone who scores highest in "Career Ready" sees something completely different from someone who lands in "Needs a Career Coach." You control the text, images, videos, CTA copy, and links for every outcome. Here is what this opens up: Personalized results: Each category gets its own tailored content instead of one generic result page for everyone. Faster setup: The first category acts as a default template, so you are not starting from scratch every time. Flexible scoring logic: You can apply custom content to both highest-scoring and lowest-scoring category results. ideas.gohighlevel.com Tweet

AI Agent Now Writes Directly to Custom Values HighLevel's AI Agent action now includes Update Custom Value as a built-in tool. Instead of building out sprawling If/Else trees just to set a field based on the day, a date format, or a pipeline stage, the agent handles it in a single step. That alone cuts a lot of unnecessary complexity out of your automations. Here is what this means for your workflows: Fewer branches: The agent replaces multi-step conditional logic with one clean action tied to context. Flexible control: You can lock in a specific custom value field or let the agent decide which field fits the situation. Faster builds: Schedules, promo codes, and date formatting no longer need their own branching paths to work. ideas.gohighlevel.com Tweet

New here? Signup   Forward To Your Friends

Copyright © 2026 GHL News. All rights reserved

Fwd: Someone's been living in my inbox 🥡

Worth repeating. 

---- Forwarded message ---------

From: Rachel @ WP Mail SMTP <support@wpmailsmtp.com>

and they order a LOT of takeout ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Hey there,   Something curious happened to me today. I got an email from Google asking me to log into my secondary Gmail account (that I’ve not used in years) to avoid deletion.    When I logged into the account I found 2,604 emails that weren’t for me. On further inspection, it seems someone has been signing up for various apps and services using my email account. Over half of these emails were from a food delivery service called Swiggy so while I don’t know anything else about them, I’m pretty confident that they can’t cook.   Anyway, none of these emails had been read, which tells me they didn’t actually get into my account. And apart from random notifications, there were some more concerning emails like 2FA codes from Facebook and security notifications from their other Gmail account. If I wanted to, I could probably get access to their accounts. In other words, they weren’t trying to scam or spam me but they clearly thought that MY email address was THEIR email address.   This happens more than you might think, especially if you have a relatively popular or generic email address. I once had to email a dating app asking them to close an account someone set up using my address because… well… I didn’t want to have to try and explain that to my husband. 😅   There are a whole host of security and other concerns for the people who are putting the wrong email address into forms. But if that form is on your website, it opens up a world of trouble for you too.   Let’s go back to those 1k+ Swiggy emails. I don’t want those in my inbox, even if it is my secondary inbox. So I bulk-selected every one and blocked them. Which automatically marks them as spam.   If you suddenly get over a thousand spam complaints, it’s probably going to put a bit of a dent in your sender reputation.   So you do not want people typing in the wrong email address into your forms. Even if it’s a real email address.   Luckily, there are a few different ways to prevent this and I’ve covered the basics on the blog in a guide to email validation for WordPress forms. If you’re not already validating form data that includes email addresses, I’d highly recommend taking a look.   And as for me, I will be logging into my secondary Gmail account a little more often and going and marking a few more emails as spam.   Until next week, Rachel Product Educator, WP Mail SMTP   P.S. Was this email helpful?    🔥 Yes! Love it 😐 It's OK 👎 I didn't like it

We're ❤️ Hiring! Join Our Team Have a Question? Send Us a Message © 2026 WPForms, LLC. All Rights Reserved. 400 Executive Center Drive, Ste 208, West Palm Beach, FL

Click Me

Fwd: Resource Usage Summary for rauterkus1

--
Ta.
 
 
Mark Rauterkus       Mark.Rauterkus@gmail.com

Podcast:    =:| Heavy Or Not <;) - The OG Swim Guide

Mark@Rauterkus.com    <--- causing lots of missed messages, sadly.

Webmaster, International Swim Coaches Association, SwimISCA.org

and other sites: SKWIM.us, U CAN Swim

Coach at The Ellis School for Varsity & Middle School Swimming

412 298 3432 = cell

New course: Mental Skills for Young Athletes

---------- Forwarded message ---------
From: <support@pair.com>
Date: Mon, Jun 1, 2026 at 12:18 AM
Subject: Resource Usage Summary for rauterkus1
To: <Mark.Rauterkus@gmail.com>
CC: <mark@rauterkus.com>

This summary covers the most recent month of service, and charges have
been posted to your billing records, if any over-usage is shown below.
These charges will appear on your statement within the next few days.
This is NOT a bill, but it does represent upcoming charges.

This is an automated report generated by Pair Networks, Inc.  If this
has been misdirected, please let us know at support@pair.com.

This summary covers the dates April 30, 2026, through May 30, 2026,
inclusively.

  Date       Bandwidth Usage
  ----       ---------------
 Apr 30                 6.87 GB
 May  1                 9.42 GB
 May  2                20.57 GB
 May  3                27.41 GB
 May  4                29.63 GB
 May  5                11.91 GB
 May  6                13.37 GB
 May  7                15.01 GB
 May  8                17.59 GB
 May  9                31.56 GB
 May 10                33.57 GB
 May 11                    0 GB
 May 12                35.33 GB
 May 13                27.54 GB
 May 14                33.31 GB
 May 15                35.66 GB
 May 16                30.05 GB
 May 17                27.76 GB
 May 18                24.96 GB
 May 19                20.22 GB
 May 20                19.99 GB
 May 21                16.22 GB
 May 22                16.85 GB
 May 23                18.09 GB
 May 24                34.11 GB
 May 25                22.07 GB
 May 26                 4.75 GB
 May 27                 5.51 GB
 May 28                 0.48 GB
 May 29                11.32 GB
 May 30                 5.59 GB
  ----       ---------------
 TOTAL                571.05 GB
 Total Bytes:     613,156,425,436 =        571 GB
 Allowance:                              12288 GB

This summary includes all resource usage for the most recent calendar
month.  Charges for over-usage, if any, are shown above, and will appear
on your next billing statement.


1 Gigabyte (GB) is equal to 1024 Megabytes, or 1,073,741,824 bytes.
Pair Networks pricing policy is to always round down fractional Gigabyte
transfer amounts.  For example, if you had a total monthly transfer of
314,159,265,358 bytes, this would be 292.583615 GB, which is rounded
down to 292 GB.

If you have any questions about your usage or this report, please contact
us at support@pair.com.

Thank you for choosing Pair Networks!

Loud Noises and Sounds at Baseball Parks

https://frontofficesports.com/newsletter/how-ballparks-got-so-loud/

Memo to Wordfence folks - Malware Samples and Reappearing WordPress File Writer: Have You Seen This Pattern?

Request for Guidance: Persistent WordPress Malware Reinfection and Reappearing File Writer

Hello Wordfence Team,
I am writing to document a difficult, ongoing WordPress security incident and to ask whether your team has seen this pattern before.
I am the webmaster for multiple small nonprofit, sports, coaching, and community websites hosted under a Pair Networks account, rauterkus1. I use Wordfence on a number of these WordPress sites. Wordfence has helped identify many of the bad files, but the larger issue is that some malware directories and files are reappearing after deletion. I am trying to move from cleanup mode to root-cause mode.
I would be open to a phone conversation if someone at Wordfence is interested. I can also supply more detail, saved files, logs, screenshots, and possibly a backup/archive for inspection. Forensics is not my strength, but I have preserved some useful evidence.
Summary of the incident
This began as what looked like a normal WordPress malware cleanup: Wordfence alerts, unknown files in core locations, modified core files, suspicious .htaccess files, and unauthorized WordPress administrator accounts.
However, the situation became more serious because after deleting malware files, certain directories and files reappeared.
The most important recurring infection path has been:
/usr/home/rauterkus1/public_html/waterpolo.cloh.org/wp-includes/sodium_compat/src/Core32/Curve25519/Ge
Files found or recreated there included:
queue_1.php
queue_1-3.php
16e2277f8b31_A
16e2277f8b31_B
.htaccess
Wordfence also found other unknown files in WordPress core locations, including examples under:
wp-includes/sodium_compat/
wp-admin/css/colors/sunrise/
wp-admin/maint/
wp-includes/certificates/KINGSMAN/
wp-includes/sitemaps/providers/
Some file names reported or observed included:
wp-olite.php
mjc0.php
mjc0-2.php
mjc0-3.php
outbound.php
dwn2.php
dwn2-2.php
dwn2-3.php
perl.haxor
py.haxor
bash.haxor
class-wp-sitemaps-cache.php
Important file behavior
The file queue_1.php appeared to start a PHP session, accept data from a request, store it in session data, and rename itself using the session ID and session path.
The file queue_1-3.php appeared more serious. It decoded hidden numeric strings into PHP functions such as file_put_contents and chmod. It accepted request variables such as x1 and x2 and appeared able to write arbitrary files.
That seems to explain why deleting visible files is not sufficient. If any web-callable copy of this writer remains reachable, a bot or attacker may be able to recreate the malware tree.
A local .htaccess file inside the infected folder included rules that allowed PHP files to execute from that deep location. In other words, the folder appeared to be prepared as an executable hideout, not merely a storage location.
What we have done so far
We have taken many containment and cleanup steps:
Deleted unauthorized WordPress administrator accounts.
Changed WordPress admin passwords.
Rotated WordPress SALT keys on affected sites.
Changed database passwords on some affected sites.
Reinstalled or reactivated Wordfence on multiple sites.
Used Wordfence to delete flagged unknown core files.
Added .htaccess hardening rules.
Blocked XML-RPC where not needed.
Blocked direct wp-comments-post.php where comments are not used.
Disabled or retired unneeded sites where possible.
Moved some mission-critical sites away from the compromised environment.
Nuked all old FTP accounts and plan to recreate only temporary, limited access accounts as needed.
Began inspecting raw logs from Pair Networks.
Kept some suspicious files and screenshots for evidence.
Complicating factor: web root disruption
During the response, the main web directory structure became disrupted. Many sites that had been under:
/usr/home/rauterkus1/public_html/
ended up under:
/usr/home/rauterkus1/public_html/public_html.bak/
Pair Networks has said they only renamed public_html as a test and did not restore a backup. They also said that any available backups may already be compromised.
The current working approach is not to restore the entire old tree blindly. We are treating public_html.bak as contaminated source material, not as trusted clean backup.
Host observations
Pair Networks reported that the suspicious files were being written as my account user. They did not see active cron jobs, SSH logins, or obvious FTP logins from unknown IPs in the basic account access records. FTP logins that were shown came from my own IP address. That does not rule out web-executed malware, compromised local credentials, or a surviving PHP writer elsewhere under the account.
The recurring theory is that a surviving web-callable PHP writer, possibly in another WordPress install or old site folder, is recreating the malware tree.
Questions for Wordfence
Have you seen this specific pattern before?
In particular:
Have you seen malware hiding under paths like:
wp-includes/sodium_compat/src/Core32/Curve25519/Ge
Have you seen payload pairs like:
16e2277f8b31_A
16e2277f8b31_B
Have you seen writer files using request parameters like x1 and x2 to call decoded file_put_contents and chmod?
Is this associated with a known malware family, campaign, or exploit chain?
Is there a recommended way to search across an entire hosting account for related writer/dropper files, not just one WordPress installation?
Can Wordfence scan outside the normal WordPress directory if multiple WordPress sites share one hosting account?
Is there a Wordfence-supported method to identify the original vulnerable plugin, theme, upload folder, or entry point?
Are there specific log patterns I should search for in raw Apache logs, such as POST requests to unusual PHP files under wp-includes, wp-content/uploads, or wp-admin?
What should I preserve before continuing cleanup?
Is this the kind of case where Wordfence Care or Wordfence Response would normally be appropriate, even if I am first seeking guidance or an estimate?
Help requested
I am not expecting free emergency remediation, but I am asking for guidance.
I would appreciate knowing:
Whether this pattern is familiar to your team.
Whether specific file names or paths indicate a known malware family.
Whether there are recommended searches or YARA-like signatures I should run.
Whether Wordfence has documentation for multi-site shared-hosting reinfection loops.
Whether you can suggest a safer sequence for cleanup, scanning, and password rotation.
Whether someone at Wordfence would be willing to review a small sample set of files.
Whether you offer an estimate or bid for this type of incident review.
I am also open to suggestions about other security professionals or tools that may help. If there is a more specialized forensic GPT, scanner, or incident-response workflow you recommend for WordPress malware on shared hosting, I would be interested.
Current status
This is still a work in progress.
Some sites have been stabilized. ACEN has been temporarily redirected to a clean Pairsite location. SwimISCA.org has been moved to a different server. Blog.SwimISCA.org was restored after fixing a missing PHP 8.4 wrapper. FTP accounts have been removed. Raw logs are being gathered.
The key unresolved issue is identifying and eliminating the surviving writer or entry point that caused malware files to reappear after deletion.
Thank you for any guidance you can provide.
Sincerely,
Mark Rauterkus