New spamming tactic?

Over the past couple of days, we've seen either the beginning of a new botnet tactic, or we changed something on our networks that is causing network problems.

The shift in tactics is the amount of time that a bot will connect to our service, we issue them a 550 but then they don't drop the connection right away.  Typically, after a 550 a bot will drop the connection.  These ones seem to be holding on for up to a minute.

This is a little strange since it doesn't make sense for a spammer to hold onto the connection if the connection is refused.  I wonder if they're trying to target us specifically?  This sounds a little paranoid but sometimes it's prudent to be paranoid.