In this article we are going to review how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.

Because your server is open to the Internet to accept mail from anywhere in the world, this also means that anyone in the world can attempt to try to login and send mail as one of your email addresses. Of course they need to provide the appropiate credentials for the email account in order for the server to actually allow them to relay the message, but this typically won't stop a spammer from trying again and again to get in to your account.

A good way to keep tabs on who is trying to login to your email accounts is using the Exim mail log. I'll walk you through how you can login to your server and check on this very easily.

Please note that in order to follow along with this guide, you'll need root access on either your VPS or dedicated server, this way you have access to the Exim mail log.

Locate 535 incorrect authentication errors

Using the steps below I'll show you how to pull incorrect mail login attempts from your Exim mail log, and then how to go about blocking malicious users from your server, this way they can't come back from the same IP address and continue to try to break into your account.

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate 535 incorrect authentication errors:

    grep "535 Incorrect" /var/log/exim_mainlog | awk -F"set_id=" '{print $2}' | sort | uniq -c | sort -n

    Code breakdown:

    grep "535 Incorrect" /var/log/exim_mainlog Locate mentions of 535 Incorrect in the Exim mail log.
    awk -F"set_id=" '{print $2}' Use the awk command with the Field seperator set to set_id= and then print out the $2nd set of data following that.
    sort | uniq -c | sort -n Finally sort the users, then uniquely count them, and then sort them again lowest to highest.

    You should get back something like:

    1469 info@example.com)
    7901 sales@example.com)
    30966 test@example.com)
    75178 user@example.com)

    So now we can see that the user@example.com user has an extreme amount of failed login attempts at 75,178.

Find IP address causing incorrect logins

Now that we know the email address user@example.com had a huge amount of incorrect login attempts, lets take a look at what IP address the malicious user has attempted to connect from so that we can block it.

  1. Run the following command to find what IP address is causing the 535 incorrect authentication errors:

    grep "535 Incorrect" /var/log/exim_mainlog | grep user@example.com | awk '{print $1,substr($9,2)}' | cut -d] -f1 | uniq -c

    Code breakdown:

    grep "535 Incorrect" /var/log/exim_mainlog Locate mentions of 535 Incorrect in the Exim mail log.
    grep user@example.com Only find the lines where the user@example.com address is mentioned.
    awk '{print $1,substr($9,2)}' Use the awk command to only print out the $1st colum of data showing the date, and then the $9th column but stipping off the first 2 characters so we get just the IP address.

    You should get back something like this:

    17109 2013-01-13 123.123.123.123
    17052 2013-01-14 123.123.123.123
    16999 2013-01-15 123.123.123.123
    16550 2013-01-16 123.123.123.123
    7616 2013-01-17 123.123.123.123

Block IP address at server's firewall

Now that we know the IP address 123.123.123.123 has consistently been trying to login to our user@example.com email account again and again, we can block their IP address at the server's firewall to prevent them from trying again.

  1. Run the following command to block the 123.123.123.123 IP address from your server:

    apf -d 123.123.123.123 "Failed mail logins to user@example.com"

    You should get back something like this:

    apf(23589): (trust) added deny all to/from 123.123.123.123

You should now understand how to locate 535 incorrect authentication errors on your server, find the users causing the majority of these errors, and then block the IP address of the malicious user attempting to login to the account.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!