Tom Collins writes:What if the system tracked it by IP, and after three failures locked out connections from that IP for 10 minutes?That has problems for companies behind a firewall which use external mail servers (we have several clients in that situation). All it takes is one person to type his password wrong and they're all locked out for ten minutes. Worse, he types it into his mail client configuration and polls every five minutes. The result is that they get onto us and complain that our mail servers are broken. Then we waste 15 minutes convincing them that they have to disable all their mail clients for ten minutes then turn them back on one at a time until they find the one with the bad password.
He meant log it on an account AND ip basis.