This message is thrown in 2locations, in the validateEmail() method and in the verifyChallenge() method. Since your customer is loggin in with email, not with code, I assume it comes from the validateEmail() method when the IP is blocked after too many attempts to log in.
all i see in the site/accounts are the individual account folders, no .logins file. i can see other files that start with a dot (eg: .htaccess) so i know that’s not the issue. my client is running into this same ‘Rate limit exceeded’ error and i need to reset it.