Follow
I should probably not be surprised but the vast majority of brute force connx to my mail server actually comes from 2 ISPs. That's quite unlike my experience with SSH brute force which i guess is more widespread.
One is a Yandex subsidiary in London, the other is Turkish. I really dislke whole subnet blocks but in this case I can live with it.
The sheer number of entries to the F2B database caused me another problem: They grew big really, really fast.
Got a fairly aggressive fail2ban config on this box but it looks like the botnet is almost every fucking host on the ISP so they just keep rotating.