535 Incorrect authentication data

S

spsgorgan

Verified User
Joined
Dec 22, 2012
Messages
9
:confused: Hi. I have a problem I can not solve it.
One of our clients use the program every 5 seconds to get the mail server to be connected.
DirectAdmin Brute Force Monitor show following error :

2012-12-22 14:21:53 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)

[email protected] : our client email

Where do you think is the problem?
 
spsgorgan said:
please help me :(
Click to expand...
Check your log to see if your user is trying multiple login requests using different protocols. If so, set the mail client to only use the protocol you allow.

And you may want to tell your client that checking for new mail so often is abuse of your server. It will result in multiple threads running for the user at the same time and could increase your server load.

Jeff
 
thx Jeff, please tel me how to change number of smtp connection for 1 user ?
I guess this user login with many connection to the server in 1 minute And is likely due to the high server connection it detects an attack But it is not.

(I'm sorry for badly written English)
 
Do you think,
If I value change smtp_accept_max to 300 our 500 from 100 This problem is resolved ?
 
Do you see "too many connections" in your /var/log/exim/mainlog? If not, then the changing of the "smtp_accept_max" setting might not help (of course you might want to check it yourself).
 
hi zEitEr, thx for answer.
i see this log in Brute Force Monitor :

13565962210000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:16:35 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565964610000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:20:15 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565971210000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:31:29 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565971210001 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:31:40 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565971210002 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:31:45 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565971210003 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:31:49 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565974210000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:36:19 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565977810000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:42:42 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565978410000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:43:12 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565979610000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:45:35 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565987410000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:58:53 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565987410001 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 03:58:53 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565992810000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:08:01 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565998210000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:16:10 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13565998210001 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:16:11 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566002410000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:23:11 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810000 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:16 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810001 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:16 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810002 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:20 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810003 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:20 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810004 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:24 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)
13566016810005 xx.xx.xxx.xx "[email protected]"<[email protected]> 1 exim2 2012-12-27 04:47:24 login authenticator failed for [xx.xx.xxx.xx]: 535 Incorrect authentication data (set_id="[email protected]"<[email protected]>)


Dear Friend, What is your opinion ?:confused:
 
I saw the /var/log/exim/mainlog and yes, this user to many connectio to server Every 5 seconds.
 
Run this

Code: 
grep "too many connections" /var/log/exim/mainlog

Does it show anything?
 
spsgorgan said:
thx Jeff, please tel me how to change number of smtp connection for 1 user?
Click to expand...
I don't think you can do that. Check exim specifications for reference to smtp_accept; one place to look, for Exim version 4.40, can be found here (gd.tuwien.ac.at).

Jeff
 
spsgorgan said:
Hi,
No. Blank display.
Click to expand...

In this case "change smtp_accept_max to 300 our 500 from 100" won't give you what you want. So, you might need to debug it, of course if you are sure, that your customer does not try to login with wrong credentials.
 
It's close to impossible to spoof an IP# at the connection level (it may actually be impossible), so if the logs show multiple logins every five seconds, the user's connection is probably really making that manny connections. When we've had similar problems with our users we've discussed with them what may be connecting from their IP#; often it's multiple users with short retry times for receiving email on an internal network, or that they've forgotten a system set up somewhere on the network. You can block the user's connections but you'll probably still see information in the logs (that's what logs are for; to tell you what's happening).

We've always been able to help he user find the problem; we've never had to terminate a user for TOS violation for this particular issue. In my office we only check every five minutes on each machine running on our network. Some of my clients check every minute.

Jeff
 
You must log in or register to reply here.
Back
Top