In the past couple weeks we've had a slew of undeliverable messages and spam to various users on our domain. Essentially, accounts were used as a reply to address, spam was sent and bounced back to the address listed in reply-to on our domain. In some cases though, we saw multiple messages being sent from our server directly which means accounts had been compromised. We had users change their passwords as a precautionary measure which helped in multiple cases. In some cases it still hasn't helped, so we implemented the "Failed Login Policy." We have it set to lock out for 10 minutes after 5 attempts over a 5minute time span. One user keeps getting booted from their email account and locked out. We know that all the accounts they have set up are correct which means that someone (or some automated program) is potentially trying to get into their account.

There are however some things about this function that aren't quite clear:

A)If the lockout period has lapsed, I would think the lockout on the account would switch to active, but it doesn't. When in the admin panel, it doesn't change from lockout until the user logs back in successfully after the lockout period. Why is that?

B)If during the lockout period, another attempt is made, does the lockout timer re-start or just continue until the full lockout time is lapsed after the last failed login attempt which triggers the lockout?

C)We have users that are using Zimbra Desktop, Outlook, Webmail, Mac mail (on computers and iPads). How are login attempts tracked (in terms of what will/won't trigger a lockout) when users have their account set up on multiple devices or in multiple programs?

D)When you get locked out and try to login via webmail, it only says that your CAPS LOCK may be on or that you entered your password incorrectly and to try again; it doesn't mention tell the user they are locked out, therefore they continue to try which I don't know if that restarts the 10minute lockout period or not.

Any information on these items would be greatly appreciated.