First up: Sagi contacted me this morning and promised prompt and direct action.
That's all the response I could ask for.
said by MxxCon:
It's also possible that one of those servers got compromised and the owner doesn't even know about it. Many larger clients are "self-managed", ie client has root access to the server and webair techs don't even have access to it. If one of those servers gets compromised or even intentionally start spamming, they can't do anything directly to it other than escalating to cut off its network access. But if it is some big VIP client, they don't want to have an incident with the client and lose their business so they take time to personally contact the client and work w/ them on this issue.
In this case, it wasn't exploit related. The domain-names that rDNS to those IPs are in line with a typical spam operation. They were all registered on 3-21-2011.
And to quote another user:
network:Organization;I : Progresivehosting INC
If rwhois is right, they just signed up less than a month ago and are already spamming.
The http 'server:' header is pretty much exclusively by spam and progresivehosting's domain is using a false address on WHOIS.
The odds are overwhelming that we're discussing a scumbag.
Is he a VIP scumbag? I don't think so.
I suspect the event was due to a mismanaged spam app.
One thing was the bizarrely high freq of attempts.
Another was that the attacks stopped at 11:05:30 both nights. It was cron'd or something.
It also smacks of incompetence - so prob not a VIP.
said by MxxCon:
If that spammer is really hammering your mail server, perhaps look into a firewall approach. Block known/obvious spammers at the firewall stage rather than MTA stage.
I was doing that already - this was filling up my firewall logs.
My routers have a lot on their plate. I aim to keep their RAM/CPU usage around 33%. Stuff like this pushes it up. Better to deal with these guys promptly and not wind up with a several at one time.
Adopting other people's animosity is The New Stupid.