I'm in the process of setting up a mail server, which will eventually accept mail for a given domain. I am also changing name servers for said domain (to make use of zoneedit.com).
So far, I have the new server accepting mail for the domain, and the new name server serving records for the domain, including an MX pointing at the new server. However, I haven't updated the domain record, so the authorative nameservers haven't changed.
Despite this, somehow, spammers are already attempting to submit mail for the domain in question to the new MX server. Not only that, but it's targetted at particular users with non-obvious local parts.
The new MX advertises itself as "a-sub-domain.example.org", for values of "example.org", so it's possible in theory to derive "example.org" from the banner. But unlikely.
Are they psychic? Or is a spammer somehow getting notified of new MX records hosted at zoneedit (no matter whether glue records point at them)?