Email Error 535 Incorrect Authentication

In this article we are going to review how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.

Because your server is open to the Internet to accept mail from anywhere in the world, this also means that anyone in the world can attempt to try to login and send mail as one of your email addresses. Of course they need to provide the appropriate credentials for the email account in order for the server to actually allow them to relay the message, but this typically won’t stop a spammer from trying again and again to get in to your account.

A good way to keep tabs on who is trying to login to your email accounts is using the Exim mail log. I’ll walk you through how you can login to your server and check on this very easily.

Please note that in order to follow along with this guide, you’ll need root access on either your VPS or dedicated server, this way you have access to the Exim mail log.

Locate 535 incorrect authentication errors

Using the steps below I’ll show you how to pull incorrect mail login attempts from your Exim mail log, and then how to go about blocking malicious users from your server, this way they can’t come back from the same IP address and continue to try to break into your account.

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate 535 incorrect authentication errors:
    grep "535 Incorrect" /var/log/exim_mainlog | awk -F"set_id=" '{print $2}' | sort |
    uniq -c | sort -n

    Code breakdown:

    grep “535 Incorrect” /var/log/exim_mainlogLocate mentions of 535 Incorrect in the Exim mail log.
    awk -F”set_id=” ‘{print $2}’Use the awk command with the Field seperator set to set_id= and then print out the $2nd set of data following that.
    sort | uniq -c | sort -nFinally sort the users, then uniquely count them, and then sort them again lowest to highest.

    You should get back something like:
    1469 [email protected])
    7901 [email protected])
    30966 [email protected])
    75178 [email protected])

    So now we can see that the [email protected] user has an extreme amount of failed login attempts at 75,178.

Find IP address causing incorrect logins

Now that we know the email address [email protected] had a huge amount of incorrect login attempts, lets take a look at what IP address the malicious user has attempted to connect from so that we can block it.

  1. Run the following command to find what IP address is causing the 535 incorrect authentication errors:grep "535 Incorrect" /var/log/exim_mainlog | grep [email protected] |
    awk '{print $1,substr($9,2)}' | cut -d] -f1 | uniq -c

    Code breakdown:

    grep “535 Incorrect” /var/log/exim_mainlogLocate mentions of 535 Incorrect in the Exim mail log.
    grep [email protected]Only find the lines where the [email protected] address is mentioned.
    awk ‘{print $1,substr($9,2)}’Use the awk command to only print out the $1st colum of data showing the date, and then the $9th column but stipping off the first 2 characters so we get just the IP address.

    You should get back something like this:
    17109 2013-01-13 123.123.123.123
    17052 2013-01-14 123.123.123.123
    16999 2013-01-15 123.123.123.123
    16550 2013-01-16 123.123.123.123
    7616 2013-01-17 123.123.123.123

Block IP address at server’s firewall

Now that we know the IP address 123.123.123.123 has consistently been trying to login to our [email protected] email account again and again, we can block their IP address at the server’s firewall to prevent them from trying again.

  1. Run the following command to block the 123.123.123.123 IP address from your server:apf -d 123.123.123.123 "Failed mail logins to [email protected]"You should get back something like this:apf(23589): (trust) added deny all to/from 123.123.123.123

You should now understand how to locate 535 incorrect authentication errors on your server, find the users causing the majority of these errors, and then block the IP address of the malicious user attempting to login to the account.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

Was this article helpful? Join the conversation!

Questions about our MailChannels Deployment? We have answers and are here to help!Learn More
+