You might want to look at fail2ban. It'll dynamically firewall off any IPs that make more than a user-definable number of failed login attempts.
My personal experience is that attackers rarely use the same IP more than once. When I get port scanned or spammed my experience is that it's done by thousands of different IP's, all scanning a handful of IP's (sometimes even one to an IP!) and spamming appears to have largely gone the same way.
With antispam, I have honeypots set up for a lot of email addresses and I rarely get more than a couple of emails from a single IP which hugely devalues IP blacklists. On the flipside, this does mean that any given site learns a huge number of IP's from botnet members though, so perhaps somebody needs to come up with a automatic system for looking up and emailing the abuse contacts responsible for the IP's to take advantage of this.