77.83.39.164

Summary (Bottom Line Up Front)

High-confidence SMTP reconnaissance activity detected from IP 77.83.39.164 (AS215693 PalmaHost, Netherlands) conducting systematic probing against mail infrastructure over a 3-day period from March 7-10, 2026. Threat level assessed as MEDIUM due to sustained reconnaissance pattern and maximum AbuseIPDB reputation score. Immediate blocking and enhanced SMTP monitoring recommended.

TCP smtp

SMTP_PROBE

Activity Timeline

INITIAL REPORT2026-03-10T13:20:14Z

Source: Analyst Manual Entry

Technical details

Observed 1,891 malicious events primarily consisting of SMTP_PROBE attacks utilizing EHLO command reconnaissance (64 confirmed instances). Attack vector focused exclusively on TCP-based SMTP protocol targeting single destination port, indicating targeted mail server enumeration. Source system exhibits characteristics of compromised Windows Server 2012 R2 infrastructure with multiple exposed services (RPC 135, SMB 445, WinRM 5985/5986). Activity maps to MITRE ATT&CK T1046 (Network Service Scanning) and T1590.001 (Gather Victim Network Information). Key IOC: 77.83.39.164 with 100/100 AbuseIPDB reputation score and no reverse DNS resolution.

IOCs

IP:77.83.39.164

ASN:215693

COUNTRY:NL

Recommendations

Block IP 77.83.39.164 and monitor AS215693 (PalmaHost) for additional malicious activity
Implement enhanced logging and alerting for SMTP EHLO reconnaissance attempts
Review and harden mail server configurations to minimize information disclosure during SMTP handshakes
Deploy network segmentation controls to limit lateral movement from compromised mail infrastructure
Correlate internal logs for any successful authentication attempts or data exfiltration following reconnaissance timeframe