[ipaddr]

How would you deal with an attack though residential US proxies? Your method falls apart.

How many of us deal with automated password attacks is to issue questions that only locals or people with specific knowledge could answer. Change the questions and do everything custom.

[lolinder]

It sounds like they have behavior-oriented rules that are just always triggered on Tor because Tor traffic has a disproportionate amount of bot traffic. I see no reason why behavioral blocking breaks down when an attack comes from an IP space that is usually more benign.

> How many of us deal with automated password attacks is to issue questions that only locals or people with specific knowledge could answer. Change the questions and do everything custom.

If I'm understanding what you're saying, this sounds horrible. What if I'm visiting an area where I don't have local knowledge? What about for the year or so after I move in to a new city? What if your assessment of what locals do and don't know is just wrong? There are a ridiculous number of failure modes in this questions-oriented approach. The only place this could possibly make sense is in some sort of internal company software, but even that context has better options available.

[ipaddr]

It is used commonly with facebook groups. Having to answer a question related to the group topic filters out spammers. I do it for country specific country sites requiring knowledge. The information can be googled if desire is high.

[lolinder]

Facebook groups I can see, especially because they're often surrounding specific niche topics that you can reasonably expect people to have some shared knowledge of, and the administrator of a Facebook group doesn't have that many levers to pull to reduce spam.

At the country level (and for applications where you have enough control over your infrastructure to use a real firewall) I question both the efficacy and accessibility of a system like you propose—it's not that different from the old style "what is 2+2" CAPTCHAs, and there's a good reason why most applications have moved on from those. They're not a serious alternative to behavioral rules like what OP describes.