Summary (Bottom Line Up Front)
Russian-origin IP address 195.98.71.118 conducted targeted SMTP reconnaissance against mail infrastructure on 2026-02-28 at approximately 11:00 UTC, executing 19 probe attempts within a one-minute window. This activity represents MEDIUM-confidence email harvesting reconnaissance consistent with spam/phishing campaign preparation. Network defenders should implement enhanced SMTP monitoring and consider blocking the identified infrastructure.
Activity Timeline
UPDATE 12026-03-18T07:52:49Z
Source: Analyst Manual Entry
Russian-origin IP address 195.98.71.118 conducted targeted SMTP reconnaissance against mail infrastructure on 2026-02-28 at approximately 11:00 UTC, executing 19 probe attempts within a one-minute window. This activity represents MEDIUM-confidence email harvesting reconnaissance consistent with spam/phishing campaign preparation. Network defenders should implement enhanced SMTP monitoring and consider blocking the identified infrastructure.
New findings
The threat actor leveraged standard SMTP protocol commands (EHLO, MAIL FROM, RCPT TO) to validate recipient addresses and enumerate mail server capabilities, mapping to MITRE technique T1598.003 (Phishing for Information: Spearphishing via Service). Attack volume was concentrated with 19 events occurring within 60 seconds, suggesting automated tooling. The source IP (195.98.71.118) exhibits maximum abuse scoring (100/100) with no reverse DNS resolution, indicating likely compromised or bulletproof hosting infrastructure. Attack patterns focused exclusively on SMTP reconnaissance phases, with medium-severity probing across multiple SMTP transaction stages.
Recommendations
- Implement rate limiting on SMTP EHLO, MAIL FROM, and RCPT TO commands to prevent rapid enumeration attempts
- Block IP address 195.98.71.118 at perimeter firewalls and email security gateways
- Enable enhanced logging for SMTP transactions to detect similar reconnaissance patterns
- Deploy recipient address obfuscation techniques to limit successful email harvesting
- Monitor for follow-on phishing or spam campaigns targeting validated email addresses within 72 hours
INITIAL REPORT2026-03-10T14:51:24Z
Source: Analyst Manual Entry
Russian IP address 195.98.71.118 conducted SMTP service reconnaissance against infrastructure on 2026-02-28 around 11:00 UTC, executing standard EHLO, MAIL FROM, and RCPT TO commands to enumerate service capabilities. Despite the source's maximum AbuseIPDB reputation score (100/100), this activity represents low-severity automated scanning rather than active exploitation attempts. Network defenders should monitor for follow-on activity while implementing standard SMTP hardening measures.
Technical details
Source IP 195.98.71.118 originated from Russian address space with maximum abuse reputation scoring, conducting 19 events over a brief timeframe targeting SMTP services. The attack pattern aligns with MITRE T1046 (Network Service Scanning) during the reconnaissance phase, utilizing legitimate SMTP commands (EHLO, MAIL FROM, RCPT TO) to probe service configurations. Activity volume was minimal with single destination port targeting, suggesting automated tooling rather than manual enumeration. No CVEs were exploited and zero-day probability remains negligible for this reconnaissance-focused activity.
IOCs
IP:195.98.71.118
COUNTRY:RU
Recommendations
- Block traffic from 195.98.71.118 at network perimeter and monitor for additional scanning from related Russian IP ranges
- Review SMTP service configurations to ensure unnecessary information disclosure is minimized in service banners and responses
- Implement rate limiting on SMTP services to prevent rapid enumeration attempts and reduce reconnaissance effectiveness
- Enable enhanced logging for SMTP connections to detect similar reconnaissance patterns and establish baseline behavioral analytics
- Conduct proactive threat hunting for additional reconnaissance activity targeting mail infrastructure within the past 30 days