It would be useful if the expired blocks remained present, even after refresh, perhaps just showing 0 time left  - until manually deleted.  It could be an optional setting.  This would allow catching repeat offenders, and offenders with closely related IP's.

Current configuration on my incoming gateway:

IDS block after 1 SMTP AUTH failure:   37267 minutes (22 days)

Once an address is in the IDS block, it is easy to convert them to permanent blocks (in groups of 200).  For awhile, I was doing that, and collected 4700+ entries.   But 4700 entries out of 4 billion is still a small subsection, and I never saw sufficient density to consolidate offenders into subnets.   Consolidating would also have been very tedious.  

Based on someones recommendation in this forum, I have just been letting the IDS blocks run out.   I am assuming (hoping) that repeat offenders will have their timeouts restarted every time that they try again.

With this configuration, I always have over 1000 active IDS blocks.

It would be very useful to have a list of current and past offenders, maybe even with a count on how many they tried again. This list should be exportable to CSV so we can also import them to our firewall.

Hopefully you can retieve IDS blocks and Blacklist addresses using the REST API.  Then you could populate your own database or firewall.  

We used this approacb with a previous incoming gatewau device.  Any SMTP AUTH failure triggered a firewall rule to block all ports for the related /24 subnet.  (No database component thoughj.)  Have not yet recreated it with tbe SmarterMail gateway.  No known problems from generalizing the one address to an entire subnet, but your results may vary.

We are not programmers and do not want to use the APIs. A menu or submenu where the IDS already is, with a list of current blocked IPs, plus previous blocked IPs and the hit count, with the possibility to download them in a CSV or any other type of file - that is what would benefit anyone. Now, if someone wants to take this to a next level, then sure, this list should also be retrievable via the REST APIs.

... and potentially importable into other SM customer's Blacklists

The blacklist can be imported/exported to/from SmarterMail environments as desired. The IDS list is a temporary block list as designed, as most crackers/spammers rotate through IPs regularly to avoid detection. If you are able to confirm a particular IP is seen on this list more often than not, adding it to the blacklist (under Settings>Security>Blacklist) is the recommended way to prevent further connectivity from the IP. Once you have a good-sized list of blocked IPs, you can use ...>Export Blacklist to bring that configuration into all of your other SmarterMail environments. 

Please don't leave expired blocks in the list. This would be problematic to large and busy servers. I have anywhere between 800 and 1500 items in my IDS at any given time. When the list grows beyond about 1700 it starts to slow down processing significantly. Leaving expired blocks would create multiple levels of additional processing that just should not be there.