"Some one was trying to log in via Pop3 using an array of different user names which caused some of our mailboxes to become locked..."
This is good! It means the system worked and possibly prevented a more serious breach. While it's inconvenient, being locked out is far better than being compromised.
"I created a new Class of service for the users that need Pop3 access."
You've reduced the number of possible accounts that could be victimized in this way, but not the problem itself.
The only way to be sure this never happens again is to stop using POP, but that's not always practical.
There are two possible reasons for this attack. Either you were just unluckly and got picked by some idiot trying random POP servers, or someone deliberately picked your organization for a specific reason.
Check the IP address the attack came from. If it's from China, or Russia for example, it's probably a random scam artist. But if it came from a local ISP, or the location of a disgruntled former employee, then you might have reason to be more concerned about future attempts, and should probably contact law enforcement.
You mentioned that only certain people need POP access. Why do they need POP3 access in particular? If it's just for convenience, you might want to rethink.
If these people are connecting from known locations, you could use your firewall to block incoming connections from all but known IP addresses or MAC addresses. That might defeat the purpose though if your goal is to have POP3 available to people connecting from arbitrary remote locations.
Something else to be aware of, POP3 is a completely unsecured protocol. Everything, including usernames and passwords, is sent in clear text over the network. That makes it easy to steal your login information.
