Thanks Noway2.
There are only 3 usernames: admin, abuse, and one other. Abuse wouldn't make much sense to send from and all have different 17 char passwords.
Attempts are throttled to not more than 4 per minute by a conditional in iptables.
I monitor via logwatch and DirectAdmin Brute force monitor, and block via iptables if any of the fiends are very persistent.
So I think we're safe but I was curious why they so much want to do this.