Over the past couple of days, we've seen either the beginning of a new botnet tactic, or we changed something on our networks that is causing network problems.
The shift in tactics is the amount of time that a bot will connect to our service, we issue them a 550 but then they don't drop the connection right away. Typically, after a 550 a bot will drop the connection. These ones seem to be holding on for up to a minute.
This is a little strange since it doesn't make sense for a spammer to hold onto the connection if the connection is refused. I wonder if they're trying to target us specifically? This sounds a little paranoid but sometimes it's prudent to be paranoid.