158.94.209.116

Summary (Bottom Line Up Front)

IP address 158.94.209.116 (Middlesex University/NL) conducted sustained SMTP enumeration attacks over 18 hours targeting email infrastructure with 59 recorded events. Assessed threat level: MEDIUM due to reconnaissance nature and academic network origin suggesting potential research activity or compromised system. Immediate blocking and enhanced SMTP monitoring recommended.

TCP smtp

ENUMERATION SMTP_PROBE AI_DETECTED

Activity Timeline

INITIAL REPORT2026-03-20T09:31:38Z

Source: Analyst Manual Entry

Technical details

Source: 158.94.209.116 (AS202412 Middlesex University, Netherlands)
Activity Window: March 18, 2026 19:00 - March 19, 2026 14:00 (18-hour campaign)
Attack Volume: 59 events targeting single destination port via TCP/SMTP protocols
Primary Techniques: SMTP recipient enumeration via RCPT TO commands, protocol probing without proper HELO handshake
MITRE Mapping: T1589.002 (Gather Victim Network Information: DNS), T1018 (Remote System Discovery)
Infrastructure Profile: Multiple exposed services (RDP/3389, SMB/445, WinRM/5985) indicating Windows system
Threat Indicators: AbuseIPDB score 100/100, sustained enumeration patterns, improper SMTP protocol implementation

IOCs

IP:158.94.209.116

ASN:202412

COUNTRY:NL

Recommendations

Block 158.94.209.116 at perimeter firewalls and email security gateways immediately
Implement rate limiting on SMTP RCPT TO commands to prevent recipient enumeration
Enable enhanced logging for SMTP transactions focusing on enumeration attempts and protocol violations
Monitor for additional reconnaissance activity from AS202412 (Middlesex University) network range
Review and harden SMTP server configurations to minimize information disclosure during enumeration attempts