rowen:
Your not 'pushing' them away, you've outlined maybe half the senerio's.
often times 401 are also people looking to see if the members area in not protected or uses a simple password protection to break (or brute force).
The point of handling 401 traffic is to send the real failed user to a page that gives them a lost password look up. But more often then not the person hitting the page isn't a member (hell half the time isn't even human).
stragies I've seen/used:
log it, count it, cookie it (if a cookie can't be set then redirect).
send it to a standard error page (normally with a popunder)
if the count for a paticular IP/username exceeds X attempts redirect to an in niche gallery
if ip/username exceeds Y attempts get it the off the server, send it to a top list or feed trades or raw no ratio affilate (yea you may get banned or kicked out of the program)
I actually had a nightly report of logins/attempts I counted the usernames, it was easy to see shared passwords etc without the need for any of the fancy applications out there and I made $$ off the traffic by redirecting usernames I knew were bad/shared/etc
