IP Address: 2a01:111:f403:c400::3 โ IP Confounder
Dormant. IP address 2a01:111:f403:c400::3 is registered to ORG-MA42-RIPE and geolocates to Hong Kong, Hong Kong. It was observed in sh4meful's dataset on May 7, 2024. Over the observation window, it has failed DMARC alignment once, targeting one sender domain. It has no reverse DNS record. Network context: this address sits within UK-MICROSOFT-20060601 (ORG-MA42-RIPE), a network sh4meful has observed producing 68 failures across 55 distinct IPs during the same window.
Failure Activity Over Time
This page shows DMARC authentication failure data for this IP address. Learn more about this data.
Geolocation Information
- Country:
- HK Hong Kong
- City:
- Hong Kong
- Coordinates:
- 22.2842, 114.1759
WHOIS Information
- Network Name:
- UK-MICROSOFT-20060601
- Owner:
- ORG-MA42-RIPE
Analysis
This IP is classified as a confounder: Microsoft 365 Exchange Online Protection (EOP). Failures observed from this source are expected artifacts of legitimate mail-handling behavior, typically email forwarding or mailing-list processing, and do not indicate spoofing attempts.
The host is operated by ORG-MA42-RIPE and geolocates to Hong Kong, Hong Kong. Its presence in DMARC aggregate reports is an artifact of how forwarded mail interacts with SPF and DKIM authentication, not a sign of abuse originating from this address.
Administrators observing this IP in their DMARC aggregate reports should not block or treat it as hostile. Microsoft Exchange Online Protection (EOP) and Office 365 relay addresses appear in DMARC reports for mail routed through Microsoft's filtering infrastructure. Ensure your SPF record includes Microsoft's published mail server ranges.
IP Confounder: Microsoft 365 Exchange Online Protection (EOP)
Exchange Online Protection (EOP) is a cloud-based email filtering service included with all Microsoft 365 subscriptions to protect against spam, malware, and phishing attacks. It automatically secures mailboxes by filtering incoming and outgoing messages in real-time using anti-spam, anti-malware, and content filters. During periods of active campaign activity, these can largely be ignored (esp. when recipients are on Exchange). However, forged emails have been observed from Microsoft infrastructure that have this signature too.
External Reputation Lookups
Look up this IP in external threat intelligence and reputation databases (opens in new tab):
Recommended Action
If this IP appears in your own DMARC reports, treat it as an unauthorized sender unless you have specifically verified it as a legitimate service you use. Ensure your DMARC policy is at p=quarantine or p=reject to prevent delivery of messages this IP claims to send from your domain. If you're new to DMARC, our complete guide walks through the mechanics.