Is there a way to set a trip guard on SMTP connections and start blocking a source IP address after N failures on the SMTP protocol? SAM blocking comes to mind here.
The issue is I have a mail server (Barracuda Email Security Gateway) that gets hammered on every now and again by some silly system that tries hundreds of relay attempts with credential guessing. The barracuda blocks them after a few attempts but my log on the box fills up rather fast this way. I was just curious if there is way to block this in R80.10 with one of the blades.
Or do I need to get some extra logic device that will correlate the syslog events of the Barracuda and fire up a SAM blocking action? (Do I have a business case for Splunk here ;-)