Repeat login with new usernames leads to the server getting rate limited by mojang - we should be able to catch and kill duplicate login attempts from a single IP with fail2ban:  Write a rule or set of rules to catch this sort of attack, block the IPs, and ideally send abuse report emails.