178.16.52.2

Summary (Bottom Line Up Front)

Automated SMTP relay attempts and vulnerability scanning observed from IP 178.16.52.2 between March 11-26, 2026, generating 115 security events targeting port 25/TCP. Assessment indicates low-sophistication automated activity with minimal threat impact. Standard email security hardening and monitoring recommended.

SMTP TCP smtp
SPAM_BOT SMTP_PROBE SCANNER SMTP_RELAY
Activity Timeline
UPDATE 22026-03-30T14:09:27Z
Source: Analyst Manual Entry
Automated SMTP relay attempts and vulnerability scanning observed from IP 178.16.52.2 between March 11-26, 2026, generating 115 security events targeting port 25/TCP. Assessment indicates low-sophistication automated activity with minimal threat impact. Standard email security hardening and monitoring recommended.
New findings
Attack Vector: SMTP-focused reconnaissance and relay attempts via TCP port 25
Volume: 115 events over 15-day period (March 11 23:00 - March 26 06:00 UTC)
Primary Techniques: Email enumeration, unauthorized relay testing, basic web path scanning
Key Patterns: SMTP MAIL FROM/RCPT TO probes, EHLO reconnaissance, relay configuration testing
Notable Behavior: Mixed SMTP and HTTP scanning (wp-admin path enumeration), incomplete SMTP command sequences
IOCs: Source IP 178.16.52.2, email probe using [email protected] domain
Assessment: Low-sophistication automated scanning with 95% confidence classification as background noise
Recommendations
  • Implement SMTP authentication requirements and disable open relay functionality on all mail servers
  • Deploy rate limiting on SMTP connections to prevent automated enumeration attempts
  • Monitor for incomplete SMTP command sequences and unusual MAIL FROM/RCPT TO patterns
  • Block or restrict access from IP 178.16.52.2 if not required for legitimate business operations
  • Review mail server logs for similar automated probe patterns and establish baseline monitoring thresholds
UPDATE 12026-03-14T17:38:21Z
Source: batch_hunting
Threat actor 178.16.52.2 (AS40999/dus.net GmbH, Germany) conducted sustained SMTP reconnaissance against organizational email infrastructure from March 11-14, 2026, attempting email address validation and enumeration. Assessment: LOW severity reconnaissance activity with potential for escalation to spam/phishing operations. Immediate action: Monitor SMTP logs for enumeration attempts and implement recipient validation controls.
New findings
  • Source: 178.16.52.2 (Düsseldorf, Germany) via dus.net GmbH infrastructure
  • Campaign Duration: March 11 2026 23:00 - March 14 2026 09:00 (51 total events)
  • Attack Vector: SMTP protocol exploitation using MAIL FROM and RCPT TO commands for email address harvesting
  • MITRE Mapping: T1589.002 (Gather Victim Network Information: Email Addresses)
  • Kill Chain Phase: Reconnaissance
  • Threat Indicators: AbuseIPDB score 100/100, Windows Server 2012 R2 with exposed RDP (3389) and WinRM (5985)
  • IOCs: 178.16.52.2, target email validation for [email protected]
Recommendations
  • Implement SMTP recipient validation controls to prevent email address enumeration attacks
  • Monitor mail server logs for suspicious RCPT TO command patterns and repeated validation attempts
  • Block or rate-limit connections from 178.16.52.2 and consider ASN-level filtering for AS40999
  • Review email security gateway configurations to detect and block reconnaissance probes
  • Enhance monitoring for follow-on spam/phishing campaigns targeting validated email addresses
INITIAL REPORT2026-03-14T16:28:45Z
Source: Analyst Manual Entry
Internet-facing sensors observed sustained reconnaissance activity from 178.16.52.2 (Düsseldorf, Germany) conducting SMTP email address validation and vulnerability scanning over a 60-hour period from March 11-14, 2026. The activity represents low-severity automated reconnaissance consistent with spam/phishing campaign preparation. The actor demonstrated methodical probing behavior targeting mail services with 51 total events across TCP and SMTP protocols.
Technical details
The actor utilized SMTP protocol reconnaissance techniques, specifically employing MAIL FROM and RCPT TO commands to validate email addresses, consistent with MITRE ATT&CK technique T1589.002 (Gather Victim Identity Information: Email Addresses). Traffic analysis revealed attempts to verify the email address "[email protected]" through standard SMTP enumeration methods. Additional scanning activity targeted common vulnerability paths using TCP connections. The source system presented as Windows Server 2012 R2 (build 6.3.9600) with exposed services on ports 135 (RPC), 137 (NetBIOS), 3389 (RDP), and 5985 (WinRM). No CVE-specific exploits were observed. Primary IOCs include source IP 178.16.52.2 and the targeted email address string in SMTP communications.
IOCs
IP:178.16.52.2
ASN:40999
COUNTRY:DE
Threat Assessment
Threat Level HIGH
AI Verdict NOISE
Confidence 95%
Total Events 114
Indicators of Compromise
ip 178.16.52.2
MITRE ATT&CK
T1566
Captured Payloads (3)
medium AI_DETECTED TCP:25 
mail FROM:<[email protected]>
medium SCANNER TCP:25 
/wp-admin
medium SMTP_PROBE TCP:25 
mail FROM:<[email protected]