Solution was to make a squid queue with about 1KB/sec bandwidth, and dump the most-visited porn websites into that queue. Sure, you'll get your smut, after about 10 minutes per pic download time. This worked far better - it was a bit like shadow-banning the website, in that they wouldn't be notified it was blocked, it just would be (to all intents and purposes). AFAIK, they never figured it out.
Even if that weren't true, one could always just throttle the proxy as if it were a porn site.
For example if you enter three bad usernames into a certain Exchange OWA I manage, then HAProxy sends you off to a fake login page and I hoover the data. If you enter a legitimate username but multiple incorrect passwords then the same thing happens. The fake login page runs rather slowly but not too slow. IPs that fail are fed to the firewall. I maintain a whitelist of IPs for users that have a static IP at home. If a legitimate user falls foul of that lot, they are reminded about VPNs.
Funnily enough simply ratcheting up your TLS to 1.2 minimum fixes an awful lot of cracking attempts. Older unpatched systems simply can't even connect, let alone try to login. Sadly this wont be an option for many orgs (someone will insist on owning some wanky old thing and be too stingy to upgrade it and have enough clout in the firm to foil you) but as I happen to own mine I get to lay down the law 8)
sadly this does remind me of that photo of a Darth Vader with a Brita water filter in a large body of water.
you're not really going to have an impact, but you are doing something
The United States is the #2 top source of cyber attacks, accounting for about 10% of all malicious traffic in the world and with 17.12% of cyber attacks initiated from there.
What you need to look at is how much of the traffic that hits your servers specifically is malicious relative to the amount of traffic that is bringing you revenue. Then you decide what countries to block.
