Ed W put forth on 3/5/2010 3:44 AM:
...but ... At least my public facing servers seem to be receiving trickle scans where there is definite evidence of a slow distributed bruteforcer which uses multiple IPs to try multiple usernames and I probably only see each IP a few times a day... This is quite hard to defend against without some kind of distributed system (and I believe there are such things?)
It's good policy these days to use ipdeny.com cidr tables and ban all countries from your servers that will never need legitimate access to them. If you're in the US, do you need to allow Chinese or Russian IP space to connect to your IMAP ports? If not, it's pretty simple to add iptables rules on all your servers to ban all the countries where a large amount of unauthorized connection attempts originate.
This usually can't be done with off the shelf firewalls from the likes of Cisco et al as they don't have enough memory. For a large server farm, it would be better to have a Linux or NetBSD box running firewall duty for the farm so you only have to load these rules once and eat cycles on only one machine.
Also keep in mind that iptables load time for huge country files can be pretty substantial. I experimented with this on an old dual 550 MHz machine and it took something like 30 seconds to load just the China cidrs into iptables. If you plan to load up multiple countries, initial iptables loading might take a while.
Once you've got it set up and tuned it can work very well.
-- Stan