IP Address *.*.*.163 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2017-06-25 15:00 GMT (+/- 30 minutes), approximately 10 hours, 30 minutes ago.
It has been relisted following a previous removal at 2017-06-22 10:09 GMT (3 days, 14 hours, 46 minutes ago)
This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.
More information about Conficker can be obtained from Wikipedia
Please follow these instructions.
Dshield has a diary item containing many third party resources, especially removal tools such as Norton Power Eraser, Stinger, MSRT etc.
One of the most critical items is to make sure that all of your computers have the MS08-067 patch installed. But even with the patch installed, machines can get reinfected.
There are several ways to identify Conficker infections remotely. For a fairly complete approach, see Sophos.
If you have full firewall logs turned on at the time of detection, this may be sufficient to find the infection on a NAT:
Your IP was observed making connections to TCP/IP IP address 184.108.40.206 (a conficker sinkhole) with a destination port 80, source port (for this detection) of 1444 at exactly 2017-06-25 14:30:15 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second.
If you don't have full firewall logging, perhaps you can set up a firewall block/log of all access (any port) to IP address 220.127.116.11 and keep watch for hits.
WARNING: DO NOT simply block access to 18.104.22.168 and expect to not get listed again. There are many conficker sinkholes - some move around and even we don't know where they all are. Blocking access to just one sinkhole does not mean that you have blocked all sinkholes, so relistings are possible. You have to monitor your firewall logs, identify the infected machine, and repair them if you wish to remain delisted.