1. Home
  2. 535 incorrect authentication

535 incorrect authentication

535 incorrect authentication
535 incorrect authentication

In this tutorial we will teach you how to see incorrect mail login attempts that were causing 535 incorrect authentication errors in the Exam mail log on your VPS or dedicated server.
Since your server is open to the internet and can accept mail from everywhere in the world, this means that anybody in the world could try to login and send mail as one of your email addresses. They will, however, have to provide the correct credentials for the email account in order to relay the message. Although sound, this may not stop a spammer from attempting to get into your account multiple times.
A great way to keep tabs on who is attempting to login to your email accounts through the use of the Exim mail log; using this you can login to your server and check easily.

Locate 535 incorrect authentication errors

In the steps below, we will teach you how to pull incorrect mail login attempts from your Exim mail log. Then, how you can go about blocking malicious users from your server in a way that means they won’t be able to come back from the same IP address and proceed attempting to break into your account.
Login to your server with SSH as the root user.
Execute the command below in order to locate 535 incorrect authentication errors.

grep "535 Incorrect" /var/log/exim_mainlog | awk -F"set_id=" '{print $2}' | sort | uniq -c | sort -n

You should receive a similar output to the one stated here.

 1469 info@example.com)
 7901 sales@example.com)
 30966 test@example.com)
 75178 user@example.com)

Now you will be able to see that the ‘user@example.com’ user has a huge number of failed login attempts, sitting at 75,178.

Finding the IP address causing incorrect logins

Since you now know which email address has the largest amount of incorrect login attempts, you can take a look at which IP address the malicious user has tried to connect from and then proceed to block it.
The following command will allow you to see what IP addresses is causing the 535 incorrect authentication errors. Execute it.

grep "535 Incorrect" /var/log/exim_mainlog | grep user@example.com | awk '{print $1,substr($9,2)}' | cut -d] -f1 | uniq -c

You should receive a similar output to the one stated here.

 17109 2014-01-13
 17052 2014-01-14
 16999 2014-01-15
 16550 2014-01-16
 7616 2014-01-17

Block the IP address at server’s firewall

Since you now know that the IP address ‘’ (in our example) has been continuously trying to login to our ‘user@example.com’ email account, you can block their IP address at the server’s firewall to stop them from attempting again.
Execute the following command to block the IP address from the server.

csf -d "Failed mail logins to user@example.com"

You should receive a similar output to the one stated here.

csf(23589): (trust) added deny all to/from

Now you can locate 535 incorrect authentication errors on your server, find the users that are causing the majority of those errors, and then block the IP address of the malicious user who’s trying to login to the account.

Updated on February 2, 2018

Was this article helpful?

Leave a Comment

[apsl-login-lite login_text='Please login with a social account']