It took adjustment and tweaking but we managed to find a balance between the distributed attack Password Brute Force by Email and Password Brute Force by IP -- we set the IP timespan very long and the block time very long -- so long-term attacks or slow-rolling spam attacks are caught. We set the Email timespan to be very short -- with a lockout timeout of 10-20 minutes. We've seen good success with IPs getting caught while the email account lockouts are down to a minimum. No solution will perfect but having some control over the timespans and offense counts made a huge difference over our MailEnable installation.
MailEnable survivor / convert --