Analyzing MercuryS logs, most of the strange connection patterns are treated as hostile and blacklisted.
But sometimes I found some strange connection patterns not tagged.
Samples:

T 20250915 121330 68c6f719 Connection from xxx.xxx.xxx.xxx
T 20250915 121330 68c6f719 SYN ETX SOH
T 20250915 121330 68c6f719
T 20250915 121330 68c6f719 DC3 ETX DC3 SOH DC3 STX SOH
T 20250915 121330 68c6f719
T 20250915 121531 68c6f719 Connection closed with xxx.xxx.xxx.xxx, 121 sec. elapsed.

Starting with SYN ETX and SOH control chars and lasting 121 sec.

T 20250912 211422 68c2a431 Connection from xxx.xxx.xxx.xxx
T 20250912 211422 68c2a431 ETX
T 20250912 211422 68c2a431 Connection closed with 194.180.48.166, 0 sec. elapsed.

Don't know the internals, but this case seems that the very first data is ETX control char.
Shouldn't this have to be treated as hostile and blacklisted?

Also, from time to time I noted MGLNDD attempts.

T 20250911 080532 68c28094 Connection from xxx.xxx.xxx.xxx
T 20250911 080532 68c28094 MGLNDD_yyy.yyy.yyy.yyy_25
T 20250911 080532 68c28094 Connection closed with xxx.xxx.xxx.xxx, 0 sec. elapsed.

That I realized can be legit but also can be someone mapping open ports to exploitation.

Is it possible to add an option to block and blacklist MGLNDD attempts?

Regards,
Maurício Ventura Faria

If a connection is closed without any proper SMTP transaction happening the connecting IP address will be added to the watchlist, and there will be a line in the console window saying "Connection was ended prematurely - watchlist updated" but no line in the log file. If there are a certain number of such events within a specified time the IP address will be blocked and there will be a log line saying so. Anything being sent that isn't part of an SMTP conversation is ignored by MercuryS and SmtpEvt both.