Significant Threat
IP 18.116.101.220 is a high-risk address operating from Amazon Web Services infrastructure (AS16509 / AMAZON-02) in the United States, with a threat level of 8 out of 10 and a 96% confidence score based on 2,170 total abuse reports collected between February and May 2026. Automated honeypot sensors detected this activity across 20 distinct monitoring points, with the dominant threat profile showing clear intrusion-and-attack behavior consistent with unauthorized access attempts against exposed services.
The evidence base is substantial and well-supported: this single IP generated over two thousand reports in a three-month window, yielding an activity frequency rating of 8 out of 10. The report distribution across threat categories indicates that Hacking activity accounts for the vast majority of recent detections, supplemented by isolated Email Spam and IoT-Targeted reports. The attack-pattern signatures include general attack connections, IoT and industrial control system probing, and SMTP abuse events logged by honeypot sensors. The geographic location within US infrastructure operated by Amazon does not indicate benign status — threat actors routinely deploy infrastructure within major cloud providers to blend with legitimate traffic and evade naive blocklists.
The dominant Hacking classification encompasses a broad spectrum of intrusion activity, including vulnerability exploitation attempts, credential-based attacks, and unauthorized access probing against services exposed to the internet. Combined with the IoT-Targeted detections, this IP demonstrates interest in compromising edge devices and server endpoints alike. SMTP abuse signatures suggest potential involvement in spam distribution or relay testing, which frequently accompanies broader compromise campaigns. For any organization exposing SSH, RDP, web interfaces, or mail services to this IP's originating network block, the concrete risk is unauthorized lateral movement, data exfiltration, or enrollment in botnet-driven attack infrastructure.
Site operators should act decisively: block or heavily rate-limit access from this IP at the network perimeter, enforce strong authentication on all exposed services (enforcing key-based SSH access and disabling password authentication where possible), and monitor logs for the specific attack patterns detected — particularly connection attempts targeting IoT and ICS endpoints as well as SMTP relay probing. Implementing automated blocking tools such as fail2ban or equivalent intrusion-prevention systems can dynamically respond to this threat profile. Organizations should additionally verify that mail transport configurations enforce strict SPF, DKIM, and DMARC policies to mitigate any spam or phishing risk potentially originating from or relayed through this address.
ZA 
IE 
GB