The exim log is something like that:
2014-11-30 03:12:42 SMTP connection from [168.167.250.118] (TCP/IP connection count = 1)
2014-11-30 03:12:44 no host name found for IP address 168.167.250.118
2014-11-30 03:12:48 SMTP connection from (ANDREW) [168.167.250.118] closed by QUIT
2014-11-30 03:12:51 SMTP connection from [168.167.250.118] (TCP/IP connection count = 1)
2014-11-30 03:12:51 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:12:52 no host name found for IP address 168.167.250.118
2014-11-30 03:12:52 no host name found for IP address 168.167.250.118
2014-11-30 03:12:52 SMTP connection from [168.167.250.118] (TCP/IP connection count = 3)
2014-11-30 03:12:53 no host name found for IP address 168.167.250.118
2014-11-30 03:12:54 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:54 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:55 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:55 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:55 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:56 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=account)
2014-11-30 03:12:57 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:57 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=account)
2014-11-30 03:12:57 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:57 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:12:57 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:12:58 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:12:58 SMTP connection from [168.167.250.118] (TCP/IP connection count = 3)
2014-11-30 03:12:58 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=account)
2014-11-30 03:12:59 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:12:59 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:06 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=account)
2014-11-30 03:13:06 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:13:07 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:07 no host name found for IP address 168.167.250.118
2014-11-30 03:13:08 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:13:09 no host name found for IP address 168.167.250.118
2014-11-30 03:13:10 SMTP connection from [168.167.250.118] (TCP/IP connection count = 3)
2014-11-30 03:13:11 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 03:13:11 no host name found for IP address 168.167.250.118
2014-11-30 03:13:12 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=admin)
2014-11-30 03:13:13 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:14 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=admin)
2014-11-30 03:13:15 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:15 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:13:16 no host name found for IP address 168.167.250.118
2014-11-30 03:13:16 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=admin)
2014-11-30 03:13:17 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:21 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:13:22 no host name found for IP address 168.167.250.118
2014-11-30 03:13:22 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=admin)
2014-11-30 03:13:23 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:27 courier_login authenticator failed for (ANDREW) [168.167.250.118]: 535 Incorrect authentication data (set_id=admin)
2014-11-30 03:13:27 SMTP connection from (ANDREW) [168.167.250.118] lost
2014-11-30 03:13:30 SMTP connection from [168.167.250.118] (TCP/IP connection count = 1)
2014-11-30 03:13:31 no host name found for IP address 168.167.250.118
2014-11-30 03:13:32 SMTP connection from [168.167.250.118] (TCP/IP connection count = 2)
2014-11-30 03:13:32 SMTP connection from [168.167.250.118] (TCP/IP connection count = 3)
2014-11-30 03:13:33 Connection from [168.167.250.118] refused: too many connections from that IP address
2014-11-30 11:08:54 SMTP connection from [81.181.78.25] (TCP/IP connection count = 1)
2014-11-30 11:09:20 H=(g.advertising-iq.com) [81.181.78.25] Warning: Sender rate 1.4 / 1h
2014-11-30 11:09:20 H=(g.advertising-iq.com) [81.181.78.25] X=TLSv1
HE-RSA-AES256-SHA:256 F=<www-data@g.advertising-iq.com> temporarily rejected RCPT <20bampi@anywhere.ro>: host lookup deferred for reverse lookup check
2014-11-30 11:09:20 SMTP connection from (g.advertising-iq.com) [81.181.78.25] closed by QUIT
2014-11-30 11:09:20 SMTP connection from [81.181.78.25] (TCP/IP connection count = 1)
2014-11-30 11:09:49 H=(g.advertising-iq.com) [81.181.78.25] Warning: Sender rate 2.4 / 1h
2014-11-30 11:09:49 H=(g.advertising-iq.com) [81.181.78.25] X=TLSv1
HE-RSA-AES256-SHA:256 F=<www-data@g.advertising-iq.com> temporarily rejected RCPT <20bampi@anywhere.ro>: host lookup deferred for reverse lookup check
2014-11-30 11:09:49 SMTP connection from (g.advertising-iq.com) [81.181.78.25] closed by QUIT
2014-11-30 11:10:01 cwd=/etc/exim/stats 2 args: /usr/sbin/exim -bp
2014-11-30 11:12:41 cwd=/ 2 args: exim -bpc
2014-11-30 11:12:41 cwd=/ 2 args: exim -bpc
Your advice with max retry = 3 is pretty cool, the ideea is that I am not able to manage fail2ban to identify these lines from exim's log file:
2014-11-30 11:08:54 SMTP connection from [81.181.78.25] (TCP/IP connection count = 1)
Basically, the regex should be able to detect this lines and ban that ip address if maxretry = 3 (just for testing purposes)