178.16.54.237

Summary (Bottom Line Up Front)

IP address 178.16.54.237 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance and credential capture attempts against organizational infrastructure from April 29 00:00 to May 4 18:00. The source IP maintains a 100/100 AbuseIPDB reputation score and is listed on Spamhaus DROP, indicating known malicious infrastructure. Immediate perimeter blocking is recommended to prevent further reconnaissance activity. ##

SMTP TCP

Activity Timeline

INITIAL REPORT2026-05-05T11:32:15Z

Source: Analyst Manual Entry

Technical details

Attack Vector: SMTP-based reconnaissance and exploitation attempts targeting port 25/TCP exclusively across 495 events over 6-day period. Primary techniques include EHLO command probing for service enumeration (T1190 - Exploit Public-Facing Application) and credential capture attempts. Attack patterns demonstrate automated scanning behavior consistent with botnet or spam infrastructure operations.

Key Indicators:

Source: 178.16.54.237 (AS40999 dus.net GmbH)
Open services: SMB (135,137,445), RDP (3389), WinRM (5985) suggesting compromised Windows host
Primary payload: "EHLO User" commands for service fingerprinting
Kill chain phase: Reconnaissance with credential harvesting attempts

IOCs: 178.16.54.237

IOCs

IP:178.16.54.237

ASN:40999

COUNTRY:NL

Recommendations

Block 178.16.54.237 at perimeter firewalls and email security gateways immediately
Review SMTP server logs for successful authentication attempts from this source IP during the April 29 - May 4 timeframe
Implement automated blocking of Spamhaus DROP-listed IP ranges at network edge
Monitor for similar EHLO reconnaissance patterns targeting SMTP infrastructure
Validate email server hardening against credential capture techniques on port 25/TCP

medium AI_DETECTED TCP:25

EHLO User

HIGH EXPLOIT TCP:25

ET DROP Spamhaus DROP Listed Traffic Inbound group 35