That sounds interesting, could you share the script?
I've encountered a few obvious login attempts like that, but since they come from a broad pool of IPs it's not something fail2ban can easily handle without collateral damage.
It’s parsing smartermail logs which have a kind of funky format and the script quite tied to my setup (I have a central IP ban list because I also momitor non mail related protocols on multiple machines), so not sure it would be very useful to someone else.