Summary (Bottom Line Up Front)
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measures. ###
Activity Timeline
INITIAL REPORT2026-05-28T14:54:37Z
Source: Analyst Manual Entry
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measures.
Technical details
The IP address engaged in multiple protocols including BACnet, Elasticsearch, IRC, SMTP, TCP, and TCP/SYN. Key attack patterns include CREDENTIAL_CAPTURE (7406 hits), AI_DETECTED SMTP reconnaissance (1351 hits), and PROTO_ABUSE (2 hits). The primary destination port was 25/TCP with EHLO commands observed in captured payloads. No CVEs or zero-day exploits were identified.
IOCs
IP:81.30.98.181
COUNTRY:LT
Recommendations
- Review and update SMTP server configurations to enforce strong authentication mechanisms.
- Monitor and log all EHLO requests on your SMTP servers for anomaly detection.
- Implement rate limiting and connection throttling on port 25/TCP to mitigate brute force attacks.
- Educate users about the risks of exposing sensitive information during authentication processes.
- Regularly audit access logs for unusual activity patterns related to SMTP services.