While funny, real-looking fake login data might be more useful, as it's probably real easy to filter the few large requests. Unless, of course, you bring down the server and stop the whole operation (for a time).
It would be quite interesting to do a study on both options using a honeypot-account (to detect whether the login could be extracted by the spammer).
So the script we wrote created real email addresses and user names. The Ruby gem Faker (https://github.com/faker-ruby/faker) takes care of that.
But yeah you are probably right. 10MB passwords possibly made it too easy for the scammer to filter out the bum data.
We did only make the 10MB change very late in our attack, so the scammer got 1000's of fake names and emails before we cranked up the mass of each individual request.
It would be quite interesting to do a study on both options using a honeypot-account (to detect whether the login could be extracted by the spammer).