What is the recommended way to combat this behavior?
I'd personally lean towards fail2ban or comparable solutions to aggregate Rejects with other suspicious behaviour on other ports and react with system-wide IP bans.
Fail2ban e.g. has examples for catching REJECTs in its wiki: http://www.fail2ban.org/wiki/index.php/Postfix Plus built-in modules to handle Postfix SASL login failures and others. I expect the competition is doing the same.
OpenPGP_signature
Description: OpenPGP digital signature
