[solved] What does rejected after DATA mean? Additional RBL questions

a) Like Doug said.

b) Yes.

c) I don't understand.  There's nothing in the lines you showed us that indicate that.

ctasd reports 'Confirmed' RefID:str=0001.0A0C0208.591F78DC.0079,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8

From this, I don't see a reputation-based rejection, rather, a content-based rejection.

Cheers - Bob

Thank you for your replies.

c) I don’t understand it either, that is why I am trying to find a answer. Indeed, there’s no indication in the logfile. As I said the target ip address (a Exchange server ip) has been blacklisted on the Commtouch IP Reputation.

However, as soon as we disabled the »Use Use recommended RBLs« checkbox the message has been delivered successfully. I was able to reproduce it 4 times.

I still don't understand what you are saying.  A picture perhaps?

Cheers - Bob

As soon as we disabled the checkbox »Use recommended RBLs« (SMTP>Antispam>RBL) the message has been delivered successfully.

As soon as re-enabled the checkbox »Use recommended RBLs«, Sophos blocked our message that we send to the target server. 

I assumed that Sophos also scans all ip address within the mailheader. The mail header included the blacklisted ip address.

For the sake of this one message source you are hoing to let spam into your network?

What has the sender done to fix his reputation?

Is either the mail server or the mail domain in the .tk country code?   Sophos blocks everyhing from .tk for reasons ddiscussed elsewhete in this forum.  This may explain your symptoms.

"I assumed that Sophos also scans all ip address within the mailheader. The mail header included the blacklisted ip address."

That's not the case.  The only IP checked in RBLs is the IP of the MTA asking us to accept an email from it.  If the email had been rejected for being in an RBL, you would see a line like the following:

2017:05:24-13:31:43 secure exim-in[13600]: 2017-05-24 13:31:43 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="216.146.33.134" from="bounces+user=domain.com@dynect-mailer.net" to=user@domain.com size="-1" reason="rbl" extra="bl.spamcop.net"

And, that occurs almost immediately - before the DATA command is accepted.

Cheers - Bob

Are there any links in the email?   They are part of the Data section, and will be evaluated for reputstipn as well.

Since Bob has already observed thst it is a content block, consistent with your data thst the block occurs after the message body is received, it is the message body (or subject line) that creates the problem.  Since rbl checking changes the symptom, the problem has to be a link in the message.

Since Bob has already observed thst it is a content block, consistent with your data thst the block occurs after the message body is received, it is the message body (or subject line) that creates the problem.  Since rbl checking changes the symptom, the problem has to be a link in the message.

Thank you for replies.

"For the sake of this one message source you are going to let spam into your network?"

Of course not.

"What has the sender done to fix his reputation?"

They have been pretty lazy. Their IT Department started to check their workstations for antivirus and malware. This should have been done way earlier! I am pretty sure that one of their workstations got infected and that is why they ended up on a blacklists. I don’t know how long they have been blacklisted.

"Is either the mail server or the mail domain in the .tk country code?"

no .tk TPL is used.

"Are there any links in the email? "

Yes, most of the messages including signatures with urls. One thing I have noticed is that messages got rejected usually on replies. Totally agree with Bob’s point on the content block. For now I am going to mark this thread as solved. Thank you for your support!