Summary (Bottom Line Up Front)
IP address 91.92.240.214 conducted 185 automated attacks over 15 days targeting SMTP services with relay attempts and IoT command injection, assessed as low-sophistication botnet activity with MEDIUM threat level. Organizations should implement SMTP relay restrictions and monitor for similar reconnaissance patterns targeting mail infrastructure.
Activity Timeline
INITIAL REPORT2026-04-11T08:09:07Z
Source: Analyst Manual Entry
IP address 91.92.240.214 conducted 185 automated attacks over 15 days targeting SMTP services with relay attempts and IoT command injection, assessed as low-sophistication botnet activity with MEDIUM threat level. Organizations should implement SMTP relay restrictions and monitor for similar reconnaissance patterns targeting mail infrastructure.
Technical details
Attacker conducted sustained campaign from March 26 11:00 to April 10 21:00 UTC targeting port 25/SMTP with mixed attack vectors. Primary techniques included SMTP relay attempts (53 instances), recipient enumeration attacks (35 instances), and IoT command injection attempts (60 instances) suggesting multi-purpose botnet activity. Attack patterns indicate reconnaissance phase with SMTP EHLO/HELO commands followed by MAIL FROM/RCPT TO enumeration and DATA command injection attempts. No CVEs exploited or zero-day activity observed. Behavioral analysis suggests automated tooling with medium confidence botnet attribution.
IOCs
IP:91.92.240.214
Recommendations
- Block IP 91.92.240.214 at network perimeter and monitor for similar SMTP enumeration patterns
- Implement SMTP relay restrictions and authentication requirements for all mail servers
- Deploy rate limiting on SMTP connections to prevent recipient enumeration attacks
- Monitor network traffic for IoT devices receiving unexpected MQTT or data commands on port 25
- Review mail server logs for unauthorized relay attempts and recipient enumeration activity