64.89.160.72

Summary (Bottom Line Up Front)

IP address 64.89.160.72 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against mail servers from April 21-29, 2026, generating 4,928 events primarily targeting port 25. The activity consists of standard EHLO probes with credential capture attempts and poses low threat risk. Network defenders should implement standard SMTP hardening measures and monitor for similar reconnaissance patterns. ##

SMTP TCP

CREDENTIAL_CAPTURE AI_DETECTED SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-04-29T05:48:31Z

Source: Analyst Manual Entry

Technical details

Attack Vector: SMTP protocol reconnaissance using EHLO commands targeting port 25/TCP over 8-day period. Volume: 4,928 total events with 518 credential capture attempts and 86 EHLO reconnaissance probes. Source Attribution: AS205759 (Ghosty Networks LLC) with 100/100 AbuseIPDB reputation score indicating known malicious infrastructure. Attack Patterns: Primary focus on credential harvesting through authentication probes combined with service enumeration via generic EHLO commands. Payload Analysis: Simple "EHLO User" commands observed, consistent with automated scanning tools rather than targeted exploitation. Threat Assessment: Classified as noise-level activity with 95% confidence, novelty score 1/10, indicating common opportunistic scanning behavior.

IOCs

IP:64.89.160.72

ASN:205759

COUNTRY:LU

Recommendations

Implement rate limiting on SMTP services to prevent reconnaissance and brute force attempts
Block traffic from AS205759 (Ghosty Networks LLC) at network perimeter due to confirmed malicious activity
Deploy SMTP banner hardening to minimize information disclosure during EHLO exchanges
Monitor authentication logs for unusual patterns following SMTP reconnaissance attempts
Consider implementing fail2ban or similar tools to automatically block IPs exhibiting SMTP abuse patterns

medium AI_DETECTED TCP:25

EHLO User