Sendmail: Block IP/subnet of scanners/brute force login attempts

For quite some time, I’ve noticed that usually an entire subnet like 1.2.3.1/24 will try to login to sendmail, obviously to check for easy to use accounts to spam and/or other things. One IP like 1.2.3.1 will test for user hello@mydomain.com, then a minute later IP 1.2.3.7 will try with user support@mydomai.com, etc. When they do that, they try various accounts that are not present on my system.

Another variation that is happening as I’m typing right now, is that again by using the same subnet but different IPs, they will try to brute force the pasword of my only existing account.

Is there a way to automatically block the offending subnet when that happens?

I run fail2ban to protect my email server.

I initially modified it to block x.x.x.x/24 as a subnet which is very easy.

For fun I made it more complex and now it tries to work out the actual subdomain and block all of it. If people are interested I am happy to write it up but right now my life is focused on a large turkey that has an appointment with an oven tomorrow!

Happy Christmas everyone.