I just checked. At least it's not answering on 25 to receive all that free typo mail. Same for gmali.com. But they could spoof the gmail login page. Not finding out.

    PORT     STATE SERVICE
    80/tcp   open  http
    443/tcp  open  https
    8080/tcp open  http-proxy

You're looking in the wrong place. They don't need to be listening for mail on the machine behind the A/AAAA records for the domain, because they have an MX record indicating that mail should be delivered elsewhere:

    $ dig MX gmai.com +short
    1 mail.h-email.net.

Port 25 is very rare these days, as it implies the possibility of unencrypted traffic; legitimate SMTP traffic uses port 587. That said, I checked a couple of the hosts that that name resolves to, and they all listen for both SMTP and secure SMTP traffic:

    $ nmap -p 25,587 mail.h-email.net
    Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 16:31 UTC
    Nmap scan report for mail.h-email.net (165.227.159.144)
    Host is up (0.093s latency).
    Other addresses for mail.h-email.net (not scanned): 91.107.214.206 165.227.156.49 167.235.143.33 5.75.171.74 5.161.194.135 178.62.199.248 5.161.98.212 162.55.164.116 49.13.4.90
    rDNS record for 165.227.159.144: mail2.h-email.net

    PORT    STATE SERVICE
    25/tcp  open  smtp
    587/tcp open  submission

mail.h-email.net is a Spamhaus spamtrap.

As far as I've been able to research, these typesquatting domain traps started at the same time as Spamhaus CSS blacklist which was actually a company called Deteque.

If the MX has a large number of Hetzner IPs as mailservers, then it's probably Spamhaus.

Ah, neat – that certainly makes me feel a bit better, then.

Port 25 is only uncommon for client submission, but prevalent for MTA>MTA traffic.