We've been having several of our servers attacked by 18.104.22.168. This IP is trying to brute-force SIP passwords.
We've blocked it at our firewalls but it is still consuming inbound bandwidth which is really expensive at our country.
We've tried abuse contacts from whois without success (e-mails returns with error) and finally, based on reverse DNS, we were able to contact the old owner of this IP who provided the real abuse contact of the ISP (openhosting.co.uk)
We've contacted them notifying about the abuse, with several messages on the last 3 days. They say they've notified the client and that they are trying to check what is happening but we still didn't get a solution.
What should we do ? Each day this IP starts attacking new IPs on our networks.. Maybe a brute-force on several ranges.