Thanks for your good comments. None of these attempts have been successful - so far.
I consider the attack a slow brute-force attack. I can in /var/log/cvm/current see that the attack focuses on a limited number of accounts, some of which have been closed for some time, others still active.
I'm somewhat impressed by the number of IP-addresses involved. During the past two weeks, the attack has come from 735 different IP-addresses. Most addresses are only used for one or two attempts. The attack is still going on, from new IP-addresses.
Is there a way to block mail-delivery from hosts where the reverse DNS of the IP-address matches *.virtua.com.br ? I guess no well-behaved mail-server will be blocked by this?
Jesper Holck, Denmark