Late answer but for other people who's searching for answers.
If you use dovecot with inetd or xinetd. You activate it with /path/to/dovecot/pop3-login or pop3-login --ssl (if you use TLS/SSL). This is the binary we want to exclude people from using through hosts.deny.
Use
to exclude anyone at all from using dovecot pop3 through hosts.deny. Works for me! if you use an the IMAP enabled part of Dovecot, checkout what the corresponding entries would be in the Dovecot documentation but a wild guess is imap-login
Also, when it comes to Thunderbird, you can't expect it to show you what's really going on. I first picked up mail and everything was fine. I then activated the above and Thunderbird still said he could fetch mail, even though there was a delay between the "Checking for mail" messages and "No mail to fetch" message... However, the mails in the mailbox were not fetched, the Thunderbird error console reported an error (Component not available) and the Linux secure log reported that my IP was denied a connection to the pop3 service.
..still, Thunderbird, if you didn't bother to "look under the table", said that "No mail to fetch"...