Author: Alexander

A sophisticated spambot operating under the email address ph******@*********ls.my became one of the most active threats in late 2025. Since its discovery on November 10, 2025, this automated attacker has spammed 11,428 websites, with the last recorded activity being December 15, 2025. The CleanTalk anti-spam service currently blocks approximately 9,048 requests per day from this single email address—that’s over 375 spam attempts every hour.

Unlike obvious spam, the messages mimic legitimate customer support requests, making them difficult to detect without advanced anti-spam protection.

Spam Messages Used by ph******@*********ls.my

This bot sends seemingly mundane questions about service offerings, appearing to be from potential customers:

1. “Is there a referral program?”
2. “Do you offer maintenance plans?”
3. “Do you work weekends?”
4. “Can I pay with PayPal or other methods?”
5. “Do you offer support after purchase?”
6. “Do you offer consultations over Zoom or phone?”
7. “Do you offer recurring service plans?”
8. “Do you offer service in rural areas?”
9. “Can I pick up instead of delivery?”
10. “Can I get a service checklist after the job?”
11. “Can I get a quote by text or email?”
12. “Do you offer financing through a third party?”

It’s very difficult to tell if a message is spam based on its content. This poses the risk of you replying and having your email harvested by spammers. It’s hard to say how they’ll use it, but it’s safe to assume it could be used to send spam to websites or to try to gain access to your website account.

How to Block Spam from ph******@*********ls.my

If you’re seeing traffic or spam submissions from this email, here’s how to stop it:

1. Use CleanTalk Anti-Spam Plugin
Install the CleanTalk Anti-Spam plugin for your CMS (WordPress, Joomla, Drupal, etc.). It automatically filters requests by checking emails, IPs, and behavior against the global CleanTalk Spam Database.

This email is already blacklisted and will be blocked automatically by the plugin.

2. Manually Block the Email (if needed)
If you want to block it manually in addition to using CleanTalk:

Add ph******@*********ls.my to your site’s block list.

Block common IPs that were used in attacks.

Monitor your server logs for repetitive POST requests.

******@*********ls.my” target=”_blank” rel=”noreferrer noopener”>ph******@*********ls.my is a known spammer attacking thousands of sites daily. By installing proper anti-spam protection like CleanTalk and staying vigilant, you can block these threats before they reach your visitors.

If you’re already using CleanTalk, rest assured — this spammer is on the blacklist and will be filtered automatically.

You can check any email or IP for spam activity on our BlackLists page.

🧩 Want full protection?

✅ Blocks fake registrations and spam submissions
✅ Filters bots and fake emails in real time
✅ No CAPTCHAs or puzzles – clean and fast

Stay ahead of spam – let CleanTalk handle the bots so you can focus on your content. Protect your site in under 5 minutes.
👉 Start now

WordPress powers business websites of every size and is one of the most commonly used tools in website development due to its massive developer ecosystem. However, in fast-growing and higher-risk digital environments, WordPress also has a long history of vulnerabilities, often exploited because of its large and open plugin ecosystem.

At CleanTalk, we regularly work with professional WordPress agencies managing business-critical websites across healthcare, infrastructure, and enterprise sectors. In these contexts, security solutions must be reliable, lightweight, and proven over time.

One such example comes from Myanmar, where a regional web development agency, Bold Label, manages multiple high-traffic and high-visibility WordPress sites for enterprise clients.

CleanTalk as a Long-Term Security Standard

Rather than relying on multiple overlapping plugins or reactive fixes, Bold Label made an early decision to standardize on CleanTalk as its primary WordPress security layer across client projects. CleanTalk became the default security foundation for all Bold Label–managed WordPress installations.

This approach reduced plugin bloat, simplified maintenance, and made security behavior predictable across different sites and industries.

Securing Medical Platforms at Scale

Healthcare websites are among the most sensitive WordPress environments. They handle patient inquiries, appointment requests, and critical informational content that must remain accessible and trustworthy.

One of the largest diagnostic centers in Myanmar operates its main website on WordPress, with ongoing management by Bold Label. CleanTalk has been actively protecting this site by blocking automated attacks, filtering spam submissions, and preventing malicious access attempts.

The result has been stable operations, clean form data, and minimal administrative overhead through an easy-to-manage dashboard. Security remains effective without interfering with legitimate patients or medical staff.
See website.

Protecting Industrial and Corporate Websites

CleanTalk is equally effective for corporate and infrastructure-focused websites that face different threat profiles.

A leading powerline and electrical construction company in Myanmar relies on CleanTalk for malware protection and abuse prevention on its corporate WordPress site. Managed by Bold Label, the site serves as a key business touchpoint for partners and institutional stakeholders.

CleanTalk keeps the site clean, fast, and uncompromised, even under constant background scanning and automated threats.
See website.

Why Agencies Standardize on CleanTalk

For agencies like Bold Label, WordPress security is not an upsell feature. It is part of delivery responsibility.

By standardizing on CleanTalk, agencies reduce maintenance complexity, shorten incident response time, and avoid reactive security workflows. This allows development teams to focus on performance, UX, and scalability rather than ongoing cleanup and monitoring.

Practical Security in Real Deployments

These deployments show how CleanTalk operates in real production environments, not just controlled test cases.

Across healthcare and industrial websites, CleanTalk delivers consistent protection with minimal configuration and low ongoing overhead. While these examples come from specific sectors, the same approach applies to any WordPress site that requires stable, long-term security.

CleanTalk can be deployed across a wide range of use cases, from corporate and service websites to high-traffic platforms. Details on available plans and pricing are available on the CleanTalk website.

The email address **************@***il.com” target=”_blank” rel=”noreferrer noopener”>di**************@***il.com has been reported for sending spam and launching automated malicious requests on thousands of websites.

According to CleanTalk BlackLists, this address has:

• Attacked over 10,002 websites
• Generated approximately 17,304 spam requests in the last 24 hours
• The bot uses many different IP addresses from all over the world.
• First detected on June 19, 2025
• Last activity recorded: Nov 21, 2025 06:28:40 GMT0.

The bot is currently blacklisted in CleanTalk Anti-Spam databases.

What Does This Spam Bot Do?

This spam bot employs a multilingual approach, sending seemingly innocent pricing inquiry messages in various languages to bypass basic spam filters. The messages appear legitimate at first glance, making them particularly insidious for website owners who might mistake them for genuine customer inquiries.

Common Spam Messages from **************@***il.com” target=”_blank” rel=”noreferrer noopener”>di**************@***il.com

The bot sends variations of pricing inquiries in multiple languages:

• Danish: “Hej, jeg ønskede at kende din pris.”
• Indonesian: “Hai, saya ingin tahu harga Anda.”
• Latin: “Hi, ego volo scire vestri pretium.”
• Albanian: “Hi, kam dashur të di çmimin tuaj”
• English: “Hi, I wanted to know your price.”
• Spanish: “Hola, quería saber tu precio..”
• Zulu: “Sawubona, bengifuna ukwazi intengo yakho.”

All these messages translate roughly to:
“Hi, I wanted to know your price.”

The bot repeats this pattern on contact and comments forms.

Here is a snapshot from CleanTalk’s logs:

“17304 requests in 24 hours detected from multiple IP addresses. All actions associated with spam form submissions and bot-like behavior.”

**************@****************************76.png” alt=”di**************@***il.com spam report” class=”wp-image-23476″/>

How to Block Spam from ze**********@***il.com

If you’re seeing traffic or spam submissions from this email, here’s how to stop it:

1. Use CleanTalk Anti-Spam Plugin
Install the CleanTalk Anti-Spam plugin for your CMS (WordPress, Joomla, Drupal, etc.). It automatically filters requests by checking emails, IPs, and behavior against the global CleanTalk Spam Database.

This email is already blacklisted and will be blocked automatically by the plugin.

2. Manually Block the Email (if needed)
If you want to block it manually in addition to using CleanTalk:

Add ze**********@***il.com to your site’s block list.

Block common IPs that were used in attacks (CleanTalk logs show many from Russian ranges).

Monitor your server logs for repetitive POST requests.

**********@***il.com“>ze**********@***il.com is a known spammer attacking thousands of sites daily. By installing proper anti-spam protection like CleanTalk and staying vigilant, you can block these threats before they reach your visitors.

If you’re already using CleanTalk, rest assured — this spammer is on the blacklist and will be filtered automatically.

You can check any email or IP for spam activity on our BlackLists page.

🧩 Want full protection?

✅ Blocks fake registrations and spam submissions
✅ Filters bots and fake emails in real time
✅ No CAPTCHAs or puzzles – clean and fast

Stay ahead of spam – let CleanTalk handle the bots so you can focus on your content. Protect your site in under 5 minutes.
👉 Start now

CleanTalk Research Team has identified a severe information disclosure vulnerability in the popular WordPress plugin WP Reset (400,000+ active installations). The issue allows unauthenticated attackers to obtain license keys and sensitive site metadata directly from a publicly accessible log file created by the plugin.

This vulnerability has been assigned CVE-2025-10645 and independently confirmed by Wordfence.

Potential Consequences

1. License Abuse

• License Theft: Using stolen keys on other websites
• Resale: Illegally selling valid license keys
• Financial Losses: Losses to plugin developers from illegal use

2. Targeted Attacks

• Infrastructure Reconnaissance: Collecting software version information to find other vulnerabilities
• Phishing: Using website information for targeted phishing attacks
• Social Engineering: Using data for convincing attacks

3. Privacy Breach

• Corporate Data Leak: Exposing organization names and internal URLs
• Compliance Issues: Violation of GDPR/CCPA when personal data is leaked
• Reputational Risks: Damage to reputation when a leak is discovered

4. Attack Escalation

• Exploit Chains: Using nonces and metadata for other attacks
• Credential Stuffing: Using obtained information to attack other services
• RCE Chains: Combining with other vulnerabilities for remote execution Code

Affected Versions

Confirmed to be vulnerable: WP Reset version 2.05 and earlier
Fixed in: version 2.06 (released September 18, 2025)

CVE-2025-10645 poses a serious privacy threat to hundreds of thousands of WordPress sites using WP Reset. While the vulnerability does not allow direct code execution, the leak of license keys and metadata creates significant security risks and can lead to financial losses.
This incident highlights the critical importance of secure logging practices:

• Never write secrets in plaintext
• Store logs outside the web root
• Disable verbose logging in production
• Audit and purge logs regularly

Developers should treat logging with the same seriousness as password handling—any sensitive information must be protected at all stages of the application lifecycle.

References
Wordfence Advisory:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-reset-2/wp-reset-205-unauthenticated-sensitive-information-exposure-via-wf-licensinglog 

CleanTalk Research Report:
https://research.cleantalk.org/cve-2025-10645/ 

The CleanTalk research team discovered a critical vulnerability in the popular WordPress plugin “Anti-Malware Security and Brute-Force Firewall” (GOTMLS), installed on over 100,000 websites. CVE-2025-11705 allows attackers with minimal privileges (Subscriber level) to read arbitrary files on the server, including the critical wp-config.php file, which contains database credentials and secret keys.

This issue was independently confirmed by multiple parties, including Wordfence, and assigned CVE-2025-11705.

Problem Description
The vulnerability is a classic authorization breach chain involving token leakage and cross-context reuse. The main issue is that the GOTMLS_View_Quarantine AJAX endpoint displays the quarantine list to any authorized user without checking access rights or validating nonce tokens.

Summary of the Vulnerability

The plugin exposes an internal AJAX endpoint, GOTMLS_View_Quarantine, to any authenticated user, without performing any capability checks or verifying a security nonce.

When this endpoint renders the quarantine interface, it embeds a valid GOTMLS_mt token into HTML links.

Because other privileged AJAX handlers — such as:

• GOTMLS_scan
• GOTMLS_empty_trash

— rely only on the leaked token and do not enforce current_user_can(…), a low-privileged user (e.g., Subscriber) can:

✔ Reuse the leaked token
✔ Trigger GOTMLS_scan
✔ Supply an arbitrary file path
✔ Receive the contents of that file

This includes highly sensitive files like:

• wp-config.php
• credential-containing logs
• backup files
• environment configuration

Additionally, the same token works with GOTMLS_empty_trash, allowing the attacker to delete quarantine records, effectively tampering with detection artifacts.

Affected versions
The vulnerability has been confirmed in version 4.23.81 and earlier of the Anti-Malware Security and Brute-Force Firewall plugin.

The developers have already released a plugin update that addresses this issue. Users should update to the latest version.

Wordfence Advisory:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gotmls/anti-malware-security-and-brute-force-firewall-42381-missing-authorization-to-authenticated-subscriber-arbitrary-file-read 

CleanTalk Research Report:
https://research.cleantalk.org/cve-2025-11705/ 

We’re happy to share another story from one of our valued clients — Maker Of Jacket.

At CleanTalk, we always appreciate hearing how our service helps real businesses operate more smoothly. Feedback like this motivates our team to continue improving our anti-spam technologies and deliver reliable, invisible protection for websites of all sizes.

Today’s highlight comes from Maker Of Jacket.

About Maker Of Jacket:
Since 2017, Maker Of Jacket has specialized in handcrafted, customizable, high-quality jackets and leather apparel. From biker to varsity styles, every piece is crafted with premium materials and trusted by over 6,000 happy customers worldwide. Our products are made-to-order, and we serve customers globally, ensuring a smooth and secure shopping experience.

“How we use CleanTalk:

We use CleanTalk Anti-Spam to protect our website forms, including customer inquiries, order forms, and reviews, from spam bots. Since implementing CleanTalk, we’ve experienced a significant reduction in spam submissions, allowing our team to focus on genuine customer interactions and maintain a safe, efficient online environment.

We’d like to thank Maker Of Jacket for trusting CleanTalk to protect their website and for sharing their experience with our community.”

We love sharing feedback from our users — and today’s story comes from Robin from WP Guru.

CleanTalk has been a lifesaver for my client’s website on countless occasions. As someone managing SEO-driven lead generation sites and WooCommerce stores, having a reliable solution to combat spam has been an essential part of the development process.

CleanTalk has not only helped me block spam comments and leads, but it has also been instrumental in preventing bots from creating fake orders. This has saved both me and my clients a significant amount of time and hassle.

We’d like to thank Robin and WP Guru for trusting CleanTalk to protect their projects and sharing their experience with the community.

On October 2, a technical error caused our system to send duplicate copies of the Security Report email to some users of our Security Service for Websites.

In a few cases, the same report was sent multiple times.

We identified and fixed the issue within a few hours, but unfortunately, the duplicate emails had already been delivered.

We sincerely apologize for this inconvenience and appreciate your understanding.

Our team has implemented additional safeguards to ensure this does not happen again.

— CleanTalk Team