81.30.98.207

Summary (Bottom Line Up Front)

Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.

Diameter MySQL SMTP TCP TCP/SYN
CREDENTIAL_CAPTURE AI_DETECTED SMTP_PROBE PROTO_ABUSE
Activity Timeline
INITIAL REPORT2026-05-29T07:13:34Z
Source: Analyst Manual Entry
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
Technical details
Protocols: Diameter, MySQL, SMTP, TCP, TCP/SYN
Attack types: CREDENTIAL_CAPTURE, PROTO_ABUSE, SMTP_PROBE,AI_DETECTED
Unique destination ports: 1
Active window: 2026-05-23 18:50:31.469993 to 2026-05-29 09:12:18.060863
Top patterns: auth, auth_login_creds, claude_smtp_ehlo_reconnaissance, smtp_ehlo, suricata_sid_2220018
IOCs
IP:81.30.98.207
ASN:209425
COUNTRY:LT
Recommendations
  • Block 81.30.98.207 at perimeter firewall
  • Monitor other traffic from AS209425
  • Review correlated attacker profiles for campaign links
Threat Assessment
Threat Level HIGH
AI Verdict NOISE
Confidence 30%
Total Events 73,829
AbuseIPDB 100/100
Indicators of Compromise
ip 81.30.98.207
asn 209425
country LT
Captured Payloads (2)
medium AI_DETECTED TCP:25 
EHLO localhost
MEDIUM PROTO_ABUSE TCP:25 
SURICATA SMTP duplicate fields