Hackers compromises our SMTP server

Our SMTP server has recently started to behave very strange and that started after we upgraded our internet connection. I believe that the extra bandwidth helped the hackers or script kiddies with their activities. I have a theory of how to stop it, because in the security logs from the server I found millions of relay attempts. My idea is to run a script on that log to make a file to import in the RouterOS to block those IP numbers. I think that this soulution can also be handy for other than SMTP servers. The problem is that my script knowledge is some sort of limited, so any hints would be appreciated.

Here is one of the relay attemts: (from Microsoft)

[03/Oct/2005 09:01:56] Relay attempt from IP address 60.198.65.53, mail from <support@microsoft.com> to <support@microsoft.com> rejected

[04/Oct/2005 01:12:26] Relay attempt from IP address 61.224.69.36, mail from <support@microsoft.com> to <support@microsoft.com> rejected

I have made a batch script to generate the filter rules from the security log generated by the SMTP server, now I only need to make a script in the RouterOS to fetch the list by ftp and import it. There is one problem I discovered, there is possible to import the same IP address multiple times. This is not a problem if you only have one server, you just have to purge the log and the same IP address would never show up again. The problem is when you have many servers, you must be sure that there is no duplicate Ip addresses. I would rather generate a master list of IP addresses and then generate the final filter list so I have some sort of control of what I have done.