Why would a hacker be less likely to see the webmail login error? Are our webmail servers not attacked like every other website? Until it's too late? Too late to try a VPN login?
Ron, I get your concern, and I'm not trying to be obtuse, but obfuscated login error messages are a very typical security method. I can't remember the last time I was told anything more specific than "domain not found" or whatever our webmail tells us, and generally it's "username or password incorrect". It's just the way things are done. Maybe let your users know you have this limitation?
I run two very small SmarterMail servers. One of my user's passwords got compromised. I only knew about this from the message I got that one user had sent too many outgoing messages in the time allowed. I was able to disable his account (on my iphone) before more than a few thousand spam emails got sent. At the time, I wasn't blocking by geo. If I had been, the hacker would likely have thought the user name / password he obtained was simply wrong, or had already been changed. If the error message had been specific, he would then have been able to use the account. (At this point in his operation, he was likely setting up the account in his spam software manually.) Giving specific information about login errors is almost always a bad idea.
IMHO, that is.
Edit to add: This is what the SMTP log shows for a geo blocked SMTP (587, TLS) login:
[2024.05.03] 22:54:51.273 [xxx.xxx.xxx.xxx][18370050] Authentication failed - blacklisted ip by country
[2024.05.03] 22:54:51.273 [xxx.xxx.xxx.xxx][18370050] rsp: 535 Authentication failed
SmarterTools can correct me if I'm wrong, but all the client sees is the second entry, which is vague, as it should be.
(2nd edit, redacted the ip address, which was cellular.cingular.net. That's a blast from the past.)