Mail rejected "Administrative prohibition"

Hello,
some of our partners can't send us emails!
They are not on any blacklist, have valid RDNS, have valid SPF.
I see absolutly no reason why they should be blocked.
What is going on? And how can i avoid that this happens to any of our other partners?
We don't have the administrative Resources to report every false positive to Sophos so please don't just send me the link to report.
I read somewhere that i could disable reject spam at smtp time.
What is the impact of this setting? does every spam goes to quarantine then? what about the wasted disc space then?
The NDR says: "550 Administrative prohibition"

EDIT: then again some of the emails from the same partnerdomain get through without any problems

2019:09:05-08:34:27 asg-1 exim-in[5658]: 2019-09-05 08:34:27 SMTP connection from [x.x.x.x]:37546 (TCP/IP connection count = 1)
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 H=smtp.partnerdomain.xxx [x.x.x.x]:37546 Warning: ourdomain.xxx profile excludes SANDBOX scan
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 [x.x.x.x] F=<someone@partnerdomain.xxx> R=<someone@ourdomain.xxx> Verifying recipient address in Active Directory
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="someone@partnerdomain.xxx" to="someone@ourdomain.xxx" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed

Thanks and Regards

  • Ho  

    Looking into the logs carefully, I see that AntiSpam engine has reported this particular Email as Confirmed Spam which you can see from the following logline;

    Daniel Schatz
    2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8

    And the SMTP exim-in log says the same

    Daniel Schatz
    2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="someone@partnerdomain.xxx" to="someone@ourdomain.xxx" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed

    You may turn off the option Reject at SMTP time and then will definitely increase the Size of Quaranitne List as Mails will be put into Quarantine instead of being Rejected straight away. However, it should not be a concern as you can set a limit after how many days Quarantine Emails will be deleted. You may configure that setting Email Protection > Mail Manager > Configuration. 

  • In reply to Jaydeep:

    Hi Jaydeep and thanks for the answer.
    My Question is still why has this email been blocked in the first place?
    Did the spam confirmed Tag come from Cyren?

    This never happened with valid partner email until recently.
    as already reported some email from the same domain get through without any trouble.
    Sometimes even from the SAME sender

  • In reply to Daniel Schatz:

    Hi  

    Each email is scanned individually and that's why contains a unique "RefID:str" and one cannot tell what was found in the Email to be considered as Confirmed Spam. The tag has come from Cyren. If the rate of False positive is too high, try to find any similarities in the Email and if you're not sure, it might be worth creating a case.

  • In reply to Jaydeep:

    Jaydeep, this is the first time I've heard of the solution suggested by Thorsten.  I know that as late as March of this year, this was unknown to Support.  Over a period of six months, I reported over 100 false positives and finally told Support I wasn't doing it anymore - that they had a problem and they needed to identify it.

    Someone needs to do a KB article about this and to make sure it's documented in Support's problem-solving system.  If Thorsten is indeed the first one to propose this, the KBA should acknowledge his contribution.

    Cheers - Bob

  • In reply to BAlfson:

    Hi  

    I've checked that article and we will be checking these details soon with our GES team and try to come up with an article.  And we'll surely acknowledge  article and his contribution. It might take some time as we will need to apply this in some real scenarios as Lab setup won't help much in this case.

    Thanks to both of you.