yeah, /var/log is a good start.
on the web server we can do this it may help on mail server as well? I donno? wouldnt hurt to try:
to edit your /etc/hosts.deny and add the intruders IP addresses (from auth.log)and block them.
you can actually make an executable file under /log and run it; here's a little widget i found and modified it to work with my system;
grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt
cat ct-result.txt |more
here's a link which has vpop and qmail and a lot more in middle of the page;
btw I think many ppl run clamd on their mail servers?