Clever spammers, knowing that Mail Server Software can't block a HELO/EHLO of *.* if wildcards are enabled without blocking everyone! Not sure whether to be impressed or disgusted by their cleverness. Although from your log excerpt it looks like you did SMTP Block the EHLO domain of *.*. Does that actually work in SM without blocking all EHLO domains?
About the closest you can come would be to make an IDS Rule for Bad SMTP Sessions (Harvesting) with your criteria and do second rule that on the third offense blocks for a ridiculously long time like 525,600 or 10,512,000 minutes (1 year and 20 years). The problem being is that you could potentially block a lot of legitimate traffic this way whenever an email address is no longer valid and senders attempt to send to that address.
To be honest they are already blocked by the SMTP Blocking of the EHLO (still not sure how you got that wildcard string to work without blocking everything). Although SM is humoring them as a Honeypot for SMTP Blocking of EHLO they aren't ever able to do anything more than take up a single connection for a second or two and waste their own time. They are effectively blocked already and don't require a need to be further blocked by IP using IDS Rules. If you really feel the need for blocking these by IP I would suggest not going any lower than 50 Bad Sessions Per 60 minutes to prevent blocking legitimate senders (that's what we use with a 0.5% false-positive rate where we have to manually unblock a handful of legitimate IPs out of the thousands we block...although most of them we just end up adding to Whitelists to avoid having to unblock them again a week or two later).