InMotion Hosting Support Center

In this article we are going to review how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.

Because your server is open to the Internet to accept mail from anywhere in the world, this also means that anyone in the world can attempt to try to login and send mail as one of your email addresses. Of course they need to provide the appropiate credentials for the email account in order for the server to actually allow them to relay the message, but this typically won't stop a spammer from trying again and again to get in to your account.

A good way to keep tabs on who is trying to login to your email accounts is using the Exim mail log. I'll walk you through how you can login to your server and check on this very easily.

Please note that in order to follow along with this guide, you'll need root access on either your VPS or dedicated server, this way you have access to the Exim mail log.

Locate 535 incorrect authentication errors

Using the steps below I'll show you how to pull incorrect mail login attempts from your Exim mail log, and then how to go about blocking malicious users from your server, this way they can't come back from the same IP address and continue to try to break into your account.

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate 535 incorrect authentication errors:

    grep "535 Incorrect" /var/log/exim_mainlog | awk -F"set_id=" '{print $2}' | sort | uniq -c | sort -n

    Code breakdown:

    grep "535 Incorrect" /var/log/exim_mainlog Locate mentions of 535 Incorrect in the Exim mail log.
    awk -F"set_id=" '{print $2}' Use the awk command with the Field seperator set to set_id= and then print out the $2nd set of data following that.
    sort | uniq -c | sort -n Finally sort the users, then uniquely count them, and then sort them again lowest to highest.

    You should get back something like:


    So now we can see that the user has an extreme amount of failed login attempts at 75,178.

Find IP address causing incorrect logins

Now that we know the email address had a huge amount of incorrect login attempts, lets take a look at what IP address the malicious user has attempted to connect from so that we can block it.

  1. Run the following command to find what IP address is causing the 535 incorrect authentication errors:

    grep "535 Incorrect" /var/log/exim_mainlog | grep | awk '{print $1,substr($9,2)}' | cut -d] -f1 | uniq -c

    Code breakdown:

    grep "535 Incorrect" /var/log/exim_mainlog Locate mentions of 535 Incorrect in the Exim mail log.
    grep Only find the lines where the address is mentioned.
    awk '{print $1,substr($9,2)}' Use the awk command to only print out the $1st colum of data showing the date, and then the $9th column but stipping off the first 2 characters so we get just the IP address.

    You should get back something like this:

    17109 2013-01-13
    17052 2013-01-14
    16999 2013-01-15
    16550 2013-01-16
    7616 2013-01-17

Block IP address at server's firewall

Now that we know the IP address has consistently been trying to login to our email account again and again, we can block their IP address at the server's firewall to prevent them from trying again.

  1. Run the following command to block the IP address from your server:

    apf -d "Failed mail logins to"

    You should get back something like this:

    apf(23589): (trust) added deny all to/from

You should now understand how to locate 535 incorrect authentication errors on your server, find the users causing the majority of these errors, and then block the IP address of the malicious user attempting to login to the account.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Forum Login

You are NOT logged in. You can still browse our Support Center.

To participate within our Community Support Forum:

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!