{"id":805,"date":"2013-01-17T15:26:20","date_gmt":"2013-01-17T20:26:20","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/support\/2013\/01\/17\/535-incorrect-authentication\/"},"modified":"2021-08-16T23:23:57","modified_gmt":"2021-08-17T03:23:57","slug":"email-error-535","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/","title":{"rendered":"Email Error 535 Incorrect Authentication"},"content":{"rendered":"

In this article we are going to review how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication<\/strong> errors in the Exim mail log.<\/p>\n

Because your server is open to the Internet to accept mail from anywhere in the world, this also means that anyone in the world can attempt to try to login and send mail as one of your email addresses. Of course they need to provide the appropriate credentials for the email account in order for the server to actually allow them to relay the message, but this typically won’t stop a spammer from trying again and again to get in to your account.<\/p>\n

A good way to keep tabs on who is trying to login to your email accounts is using the Exim mail log. I’ll walk you through how you can login to your server and check on this very easily.<\/p>\n

Please note that in order to follow along with this guide, you’ll need root access<\/a> on either your VPS or dedicated server, this way you have access to the Exim mail log.<\/p>\n

Locate 535 incorrect authentication errors<\/h2>\n

Using the steps below I’ll show you how to pull incorrect mail login attempts from your Exim mail log, and then how to go about blocking malicious users from your server, this way they can’t come back from the same IP address and continue to try to break into your account.<\/p>\n

    \n
  1. Login to your server via SSH<\/a> as the root user.<\/li>\n
  2. Run the following command to locate 535 incorrect authentication<\/strong> errors:
    \ngrep \"535 Incorrect\" \/var\/log\/exim_mainlog | awk -F\"set_id=\" '{print $2}' | sort |
    \nuniq -c | sort -n<\/code>
    \nCode breakdown:<\/strong><\/p>\n\n\n\n\n\n
    grep “535 Incorrect” \/var\/log\/exim_mainlog<\/th>\nLocate mentions of 535 Incorrect<\/strong> in the Exim mail log.<\/td>\n<\/tr>\n
    awk -F”set_id=” ‘{print $2}’<\/th>\nUse the awk<\/strong> command with the F<\/strong>ield seperator set to set_id=<\/strong> and then print out the $2<\/strong>nd set of data following that.<\/td>\n<\/tr>\n
    sort | uniq -c | sort -n<\/th>\nFinally sort the users, then uniquely count them, and then sort them again lowest to highest.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    You should get back something like:
    \n1469 info@example.com)
    \n7901 sales@example.com)
    \n30966 test@example.com)
    \n75178 user@example.com)<\/code>
    \nSo now we can see that the user@example.com<\/strong> user has an extreme amount of failed login attempts at 75,178<\/strong>.<\/li>\n<\/ol>\n

    Find IP address causing incorrect logins<\/h2>\n

    Now that we know the email address user@example.com<\/strong> had a huge amount of incorrect login attempts, lets take a look at what IP address the malicious user has attempted to connect from so that we can block it.<\/p>\n

      \n
    1. Run the following command to find what IP address is causing the 535 incorrect authentication<\/strong>\u00a0errors:grep \"535 Incorrect\" \/var\/log\/exim_mainlog | grep user@example.com |
      \nawk '{print $1,substr($9,2)}' | cut -d] -f1 | uniq -c<\/code>
      \nCode breakdown:<\/strong><\/p>\n\n\n\n\n\n
      grep “535 Incorrect” \/var\/log\/exim_mainlog<\/th>\nLocate mentions of 535 Incorrect<\/strong> in the Exim mail log.<\/td>\n<\/tr>\n
      grep user@example.com<\/th>\nOnly find the lines where the user@example.com<\/strong> address is mentioned.<\/td>\n<\/tr>\n
      awk ‘{print $1,substr($9,2)}’<\/th>\nUse the awk<\/strong> command to only print out the $1<\/strong>st colum of data showing the date, and then the $9<\/strong>th column but stipping off the first 2<\/strong> characters so we get just the IP address.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      You should get back something like this:
      \n17109 2013-01-13 123.123.123.123
      \n17052 2013-01-14 123.123.123.123
      \n16999 2013-01-15 123.123.123.123
      \n16550 2013-01-16 123.123.123.123
      \n7616 2013-01-17 123.123.123.123<\/code><\/li>\n<\/ol>\n

      Block IP address at server’s firewall<\/h2>\n

      Now that we know the IP address 123.123.123.123<\/strong> has consistently been trying to login to our user@example.com<\/strong> email account again and again, we can block their IP address at the server’s firewall to prevent them from trying again.<\/p>\n

        \n
      1. Run the following command to block the 123.123.123.123<\/strong> IP address from your server:apf -d 123.123.123.123 \"Failed mail logins to user@example.com\"<\/code>You should get back something like this:apf(23589): (trust) added deny all to\/from 123.123.123.123<\/code><\/li>\n<\/ol>\n

        You should now understand how to locate 535 incorrect authentication<\/strong> errors on your server, find the users causing the majority of these errors, and then block the IP address of the malicious user attempting to login to the account.<\/p>\n","protected":false},"excerpt":{"rendered":"

        In this article we are going to review how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log. Because your server is open to the Internet to accept mail from anywhere in the world, this also Read More ><\/a><\/p>\n","protected":false},"author":57014,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-805","post","type-post","status-publish","format-standard","hentry","category-email"],"acf":[],"yoast_head":"\nEmail Error 535 Incorrect Authentication in the Exim Email Log<\/title>\n<meta name=\"description\" content=\"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Email Error 535 Incorrect Authentication in the Exim Email Log\" \/>\n<meta property=\"og:description\" content=\"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Support Center\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-01-17T20:26:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-17T03:23:57+00:00\" \/>\n<meta name=\"author\" content=\"InMotion Hosting Contributor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/InMotionHosting\" \/>\n<meta name=\"twitter:site\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"InMotion Hosting Contributor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\"},\"author\":{\"name\":\"InMotion Hosting Contributor\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\"},\"headline\":\"Email Error 535 Incorrect Authentication\",\"datePublished\":\"2013-01-17T20:26:20+00:00\",\"dateModified\":\"2021-08-17T03:23:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\"},\"wordCount\":607,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"articleSection\":[\"Email\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\",\"name\":\"Email Error 535 Incorrect Authentication in the Exim Email Log\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\"},\"datePublished\":\"2013-01-17T20:26:20+00:00\",\"dateModified\":\"2021-08-17T03:23:57+00:00\",\"description\":\"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.inmotionhosting.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Email Error 535 Incorrect Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"name\":\"InMotion Hosting Support Center\",\"description\":\"Web Hosting Support & Tutorials\",\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\",\"name\":\"InMotion Hosting\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"width\":696,\"height\":696,\"caption\":\"InMotion Hosting\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/inmotionhosting\/\",\"https:\/\/x.com\/InMotionHosting\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\",\"name\":\"InMotion Hosting Contributor\",\"description\":\"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/inmotion-hosting\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting\"],\"url\":\"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Email Error 535 Incorrect Authentication in the Exim Email Log","description":"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/","og_locale":"en_US","og_type":"article","og_title":"Email Error 535 Incorrect Authentication in the Exim Email Log","og_description":"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.","og_url":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/","og_site_name":"InMotion Hosting Support Center","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting\/","article_published_time":"2013-01-17T20:26:20+00:00","article_modified_time":"2021-08-17T03:23:57+00:00","author":"InMotion Hosting Contributor","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/InMotionHosting","twitter_site":"@InMotionHosting","twitter_misc":{"Written by":"InMotion Hosting Contributor","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/"},"author":{"name":"InMotion Hosting Contributor","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644"},"headline":"Email Error 535 Incorrect Authentication","datePublished":"2013-01-17T20:26:20+00:00","dateModified":"2021-08-17T03:23:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/"},"wordCount":607,"commentCount":0,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"articleSection":["Email"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/","url":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/","name":"Email Error 535 Incorrect Authentication in the Exim Email Log","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#website"},"datePublished":"2013-01-17T20:26:20+00:00","dateModified":"2021-08-17T03:23:57+00:00","description":"In this article we are going to cover how you can review incorrect mail login attempts on your VPS (Virtual Private Server) or dedicated server that are causing 535 incorrect authentication errors in the Exim mail log.","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/support\/email\/email-error-535\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/support\/"},{"@type":"ListItem","position":2,"name":"Email Error 535 Incorrect Authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/support\/#website","url":"https:\/\/www.inmotionhosting.com\/support\/","name":"InMotion Hosting Support Center","description":"Web Hosting Support & Tutorials","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/support\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/support\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","width":696,"height":696,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting\/","https:\/\/x.com\/InMotionHosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644","name":"InMotion Hosting Contributor","description":"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!","sameAs":["https:\/\/www.linkedin.com\/company\/inmotion-hosting\/","https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting"],"url":"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"primary_category":null,"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/users\/57014"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/comments?post=805"}],"version-history":[{"count":7,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/805\/revisions"}],"predecessor-version":[{"id":85062,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/805\/revisions\/85062"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media?parent=805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/categories?post=805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/tags?post=805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}