I have just received my second email, so I asked https://shadowserver.org to look into it for me.

They were pretty quick with the reply.

The report doesn't give a whole lot of identifying information, but rather only says "_spotify-connect._tcp.local.".

So, I can at least tell you that Spotify is the culprit, but I can't tell you /what/ device the Spotify service is running on.

Hope this helps,

So it's spotify, ironically spotify is run and partially owned by Daniel Ek. Who also ran Napster and  μTorrent, so no surprise when I discovered that Spotify caches songs locally and also streams them to other users. It's partially decentralised. Hence port 5353 mDNS.

Did you try the port forwarding solution discussed earlier in this thread?

I have, I've also deleted Spotify, I don't use it anyway.

5353 routed to .253

Hopefully that will stop any more emails.

In the past we've found the Culprit to be the Spotify service on things like PS4 rather than PC

If you want to check you can download BIND and install just the tools - Which includes DIG

Once installed you can use DIG to find out which device the service is running on,