You generally got to be very careful of what info you relay back to the login page. Hackers could use any piece of information they see to validate their other data. If they know they are blocked, they can try with a different IP or try a different user in the mean time. If we keep telling them the exact same thing, they may not know they are blocked or that they are even hitting a valid email address. This can slow down serious attempts to bruteforce this information.