Charles, on the “lockout” thing, the username is static if they just read up the name up to the dot. Remember, twitter names don’t allow dots, so these attempts;

foobar.gudom@yfrog.com
foobar.dudom@yfrog.com
foobar.tudom@yfrog.com

Could easily be interpreted by yfrog to be attempts to get into foobar’s account without permission. The username that matters here if “foobar”, you can think of the word after the dot as the “password”, it’s just hard to imagine it as a password because this scheme is so stupidly insecure.

I’m trying to be fair here, but I have to note I tried 3 wrong email addresses for my real twitter account and it didn’t lock out anything. I also agree with you, the people spouting this lock out thing don’t seem to have tested it well or at all (for example, was the lockout temporary, how do you remove it, etc).