Summary (Bottom Line Up Front)
A Windows Server 2012 R2 system at 91.92.240.10 (Neterra Ltd./DE) conducted sustained SMTP reconnaissance against our infrastructure between March 12-13, 2026. This represents medium-severity reconnaissance activity with potential for follow-on attacks targeting email services. Immediate blocking and enhanced SMTP monitoring are recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:45:45Z
Source: batch_hunting
A Windows Server 2012 R2 system at 91.92.240.10 (Neterra Ltd./DE) conducted sustained SMTP reconnaissance against our infrastructure between March 12-13, 2026. This represents medium-severity reconnaissance activity with potential for follow-on attacks targeting email services. Immediate blocking and enhanced SMTP monitoring are recommended.
Technical details
- Source: 91.92.240.10 (AS2914 Neterra Ltd., Germany) - AbuseIPDB score 100/100
- Attack Window: March 12, 2026 09:00 - March 13, 2026 10:00 (26-hour campaign)
- Volume: 49 events across SMTP protocol exclusively
- Primary Techniques: SMTP service enumeration via EHLO, MAIL FROM, and RCPT TO commands
- MITRE Mapping: T1046 (Network Service Scanning), T1589 (Gather Victim Identity Information)
- Host Profile: Windows Server 2012 R2 with exposed RDP (3389), SMB (445), and WinRM (5985)
- IOCs: 91.92.240.10, sustained SMTP reconnaissance pattern
IOCs
IP:91.92.240.10
ASN:2914
COUNTRY:DE
Recommendations
- Block 91.92.240.10 at perimeter firewalls and add to threat intelligence feeds
- Implement enhanced logging for SMTP EHLO, MAIL FROM, and RCPT TO commands to detect similar reconnaissance
- Review and harden SMTP service configurations to minimize information disclosure during enumeration attempts
- Monitor for follow-on attacks targeting identified email addresses or attempting SMTP relay abuse
- Consider implementing rate limiting on SMTP connections to prevent sustained reconnaissance campaigns