"550 Administrative prohibition" issues due to confirmed spam

Question

Hi there,

today incoming messages from 2 customer domains have been rejected to "550 Administrative prohibition". #hostname #5.2.0 SMTP; 550 Administrative prohibition> #SMTP#. A couple of minutes later new messages are delivered successfully again. Sophos 'Mail Manager' marked them as confirmed spam.

Both sender addresses are NOT blacklisted, SPF record are set up correctly and Cyren marks them with 'No Risk'. How can I debug reason="as" extra="confirmed" and ctasd reports 'Confirmed'? Why does Sophos UTM blocks those messages? Firmware version: 9.510-5

Logfile excerpt:
2018:10:01-14:59:29 utm exim-in[5956]: 2018-10-01 14:59:29 SMTP connection from [SERVERIP]:37133 (TCP/IP connection count = 1)
2018:10:01-14:59:29 utm exim-in[21173]: 2018-10-01 14:59:29 [SERVERIP] F=<client@domain.com> R=<user@ourdomain.com> Verifying recipient address with callout
2018:10:01-14:59:34 utm exim-in[21173]: 2018-10-01 14:59:34 1g6xnN-0005VV-2y ctasd reports 'Confirmed'
2018:10:01-14:59:34 utm exim-in[21173]: 2018-10-01 14:59:34 1g6xnN-0005VV-2y id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="SERVERIP" from="client@domain.com" to="user@ourdomain.com" subject="WG: XXXX H\303\266" queueid="1g6xnN-0005VV-2y" size="19171841" reason="as" extra="confirmed"

This thread was automatically locked due to age.

BAlfson · Accepted Answer

This is a problem. Cyren is not keeping up their side of the bargain. They appear to be milking the CommTouch tool without adapting it to new exploits and capabilities. 
 I recommend changing from "Blackhole" to "Quarantine" for 'Confirmed spam action'. This will require that folks log into their User Portal or that the UTM mail admin log into Mail Manager to delete the real spams and 'Release and report as false positive' for those falsely identified as "Confirmed." This doesn't need to be a permanent change as it's easy to whitelist a domain for anti-spam and to report false positives. 
 I had to open a case with Support to get some of these taken care of. 
 I now have another case open for dozens of 'is-spam' reports made without a change in false-negative behavior. Apparently, labs.sophos.com has anti-spam/virus that strips many of the reported is-spams, so they never get taken care of. 
 I'll PM MBP the case #s. 
 Cheers - Bob

BAlfson · Answer

Change to 'Reject at SMTP time: Off' and you should get the result you want. 
 Cheers - Bob

Richard Martens · Answer

This week I got the same error for one customer. I managed to find the cause, not a permanent solution. 
 
 We send out an E-mail with our corporate website in the signature, abc.com. 
 The customer replied, but their anti phishing software from the customer modified our signature in the reply into: 
 <a href=" http://antiphishing.customer.fr/1/YXZlcmR1eW5AcHJvbGFpZGlzLmZyfFZSQzA1ODk0OA%3D%3D/www.abc.com/ " 
 
 This is being recognized by my UTM 9 as: Rejected: Spam (confirmed) 
 
 As long as the customer deletes the antiphishing link in the reply, e-mail traffic is back to normal.