Here's a recent, not entirely surprising discovery about spammer behavior: some spammers are really slow to pick up DNS updates.

We changed MX entries to point to our new SMTP frontend on late Monday afternoon. Our MX entries had the standard 24 hour timeout and our secondary servers had updated to the new zones by Tuesday morning at the latest, so by now it is more than two days after our old MX entries were required to have been purged from caches, even if they were gotten from a secondary using the old zone a mere millisecond before it updated.

And, you guessed it, spammers are still sending spam to the old MX.

(Since the new MX does spam tagging and the old one does not, this is vaguely irritating. If it was not a Friday, we might be doing something clever about the situation.)

I have to speculate about how the spam software behind this works. Clearly it doesn't do DNS lookups at the time it sends stuff, but does it do DNS lookups earlier and cache the results, or does it have a frontend that precomputes things all the way down to IP addresses? (The latter might be more useful, since it lets you use open relays too.)

Also, not all spammers and spam software does this; some spammers started hitting the new MX more or less the moment we published it, much faster than the places that send us legitimate email. (Which is not surprising; places that send us real email pretty much send us email regularly, which means that they have our MX entries in their DNS cache. A spammer's machine is probably not sending us email regularly, so is unlikely to have our MX already cached.)