This time it came to notice from a terse spam with a PDF attached:
From: Lisa Liang [firstname.lastname@example.org]Attached is a file Amended copy.pdf which when you open it (not recommended) looks blurry with "VIEW" in big red letters.
Date: 20 November 2016 at 23:23
Subject: 11/21/2016 Amended
Analysis of the 18.104.22.168/29 range finds 193 sites historically connected with it marked as being phishing or some other malicious activity. There are at least 284 sites currently within that range, of which the following are both hosted in that range currently and are malicious:
11% of the total sites in the range have been tagged by SURBL or Google as being bad, and to be honest there are probably a LOT more but those services haven't caught up yet.
In any case, there seems to be nothing of value in 22.214.171.124/29 and I strongly recommend that you block traffic to the entire range.