I have my firewall only accepting forwarded connections that are initiated (new) from known devices on my internal network. Anything else, with the exception of a dst-nat (port forward) rule created for torrents is blocked. This includes anything that creates a upnp port forward. If you're not something I know of, you get blocked and labelled a 'spammer'. Should a 'spammer' try any unsolicited connection a second time, they get blocked outright with no exceptions for a duration of time.
Through this I notice in the logs that every few seconds there are connection attempts being made to a UPnP created port forward entry, as follows:
Running netstat -ao shows that the service is as highlighted below: