They can use proxies to make the entries appear from a completely different system, or sometimes abuse different login methods to that website. For example, awhile back, while Twitter itself DID lock you after multiple failed attempts, you could attempt to login via TweetDeck or Mobile Web Twitter an unlimited amount of times.