141.98.9.114

Summary (Bottom Line Up Front)

Lithuanian-based IP 141.98.9.114 conducted low-volume SMTP reconnaissance against mail infrastructure on March 18, 2026, between 02:00-08:00 hours, attempting to enumerate mail server capabilities and recipients. This activity represents typical network reconnaissance behavior with LOW assessed threat level but indicates potential preparation for future mail-based attacks. Network defenders should monitor for escalation while implementing standard SMTP hardening measures.

TCP smtp

ENUMERATION SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-23T06:28:08Z

Source: Analyst Manual Entry

Technical details

Attack Vector: SMTP reconnaissance via TCP protocol targeting mail services

Volume: 73 events over 6-hour window (March 18, 2026, 02:00-08:00)

Primary Techniques: EHLO command probing and RCPT TO enumeration attempts

MITRE Mapping: T1046 (Network Service Scanning) - Reconnaissance phase

Source Profile: AS209588 VDS & Cloud services, Lithuania, AbuseIPDB score 34/100

Infrastructure Indicators: Open RDP (3389), SMB (445), and NetBIOS (135,137) ports suggest compromised Windows system

IOCs: 141.98.9.114 (source IP), SMTP enumeration patterns targeting single destination port

IOCs

IP:141.98.9.114

ASN:209588

COUNTRY:LT

Recommendations

Implement rate limiting on SMTP EHLO and RCPT TO commands to prevent rapid enumeration attempts
Monitor mail server logs for unusual recipient enumeration patterns and failed authentication sequences
Consider blocking or rate-limiting traffic from AS209588 if not business-critical
Deploy additional monitoring for potential follow-on attacks including spam campaigns or credential stuffing against identified mail services
Review and harden SMTP banner information disclosure to limit reconnaissance value