why? rejected: Spam (Confirmed)

Also, an email rejected from 209.85.161.170 was rejected at 11:20 (CST) this morning for Spam (confirmed), but a second one at 12:02 (CST) was delivered.

Does this mean it was on a blacklist but isn't now?

Those look like gmail IPs, so they probably weren't blacklisted.  Post the relevant lines from today's SMTP log file, and maybe we can see why one was rejected.

Cheers - Bob

First half

2012-07-06 11:30:35 SMTP connection from [207.8.156.51]:6575 (TCP/IP connection count = 1)
2012:07:06-11:30:36 ex01 exim-in[11234]: 2012-07-06 11:30:36 [207.8.156.51] F= R= Verifying recipient address with callout
2012:07:06-11:30:36 ex01 exim-in[11234]: 2012-07-06 11:30:36 1SnBQS-0002vC-1I ctasd reports 'Unknown' RefID:str=0001.0A090203.4FF712AC.008F,ss=1,re=0.000,fgs=0
2012:07:06-11:30:36 ex01 exim-in[11234]: 2012-07-06 11:30:36 1SnBQS-0002vC-1I Greylisting: 207.8.156.51 is a known retry host
2012:07:06-11:30:36 ex01 exim-in[11234]: 2012-07-06 11:30:36 1SnBQS-0002vC-1I REMOVED@meetingconsultants.com H=(mcweb1.meetingconsultants.com) [207.8.156.51]:6575 P=esmtp S=5066 id=OF836C2353.D342F4E8-ON85257A33.005B007E-85257A33.005AAF79@meetingconsultants.com
2012:07:06-11:30:36 ex01 exim-in[11234]: 2012-07-06 11:30:36 SMTP connection from (mcweb1.meetingconsultants.com) [207.8.156.51]:6575 closed by QUIT
2012:07:06-11:30:38 ex01 exim-in[6321]: 2012-07-06 11:30:38 SMTP connection from [209.85.214.170]:58038 (TCP/IP connection count = 1)
2012:07:06-11:30:38 ex01 exim-in[6321]: 2012-07-06 11:30:38 SMTP connection from [209.85.214.170]:38291 (TCP/IP connection count = 2)
2012:07:06-11:30:38 ex01 exim-in[11238]: 2012-07-06 11:30:38 H=mail-ob0-f170.google.com [209.85.214.170]:58038 Warning: Exception matched: Skipping greylisting for this message
2012:07:06-11:30:38 ex01 exim-in[11239]: 2012-07-06 11:30:38 H=mail-ob0-f170.google.com [209.85.214.170]:38291 Warning: Exception matched: Skipping greylisting for this message
2012:07:06-11:30:38 ex01 exim-in[11238]: 2012-07-06 11:30:38 [209.85.214.170] F= R= Verifying recipient address with callout
2012:07:06-11:30:38 ex01 exim-in[11239]: 2012-07-06 11:30:38 [209.85.214.170] F= R= Verifying recipient address with callout
2012:07:06-11:30:38 ex01 smtpd[6285]: QMGR[6285]: 1SnBQS-0002vC-1I moved to work queue
2012:07:06-11:30:39 ex01 exim-in[11238]: 2012-07-06 11:30:39 1SnBQU-0002vG-2A ctasd reports 'Confirmed' RefID:str=0001.0A090203.4FF712AF.0011,ss=4,re=0.000,vtr=str,vl=0,fgs=0
2012:07:06-11:30:39 ex01 exim-in[11239]: 2012-07-06 11:30:39 1SnBQU-0002vH-2A ctasd reports 'Confirmed' RefID:str=0001.0A090207.4FF712AF.001B,ss=4,re=0.000,vtr=str,vl=0,fgs=0
2012:07:06-11:30:39 ex01 exim-in[11238]: 2012-07-06 11:30:39 1SnBQU-0002vG-2A id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="209.85.214.170" from="REMOVED@THEIRDOMAIN.COM" to="REMOVED@OURDOMAIN.COM" subject="Fwd: REMOVED partner paperwork to REMOVED 3 in Houston\342\200\246trying again" queueid="1SnBQU-0002vG-2A" size="148859" reason="as" extra="confirmed"
2012:07:06-11:30:39 ex01 exim-in[11238]: [1\42] 2012-07-06 11:30:39 1SnBQU-0002vG-2A H=mail-ob0-f170.google.com [209.85.214.170]:58038 F= rejected after DATA
2012:07:06-11:30:39 ex01 exim-in[11238]: [2\42] Envelope-from: 
2012:07:06-11:30:39 ex01 exim-in[11238]: [3\42] Envelope-to: 
2012:07:06-11:30:39 ex01 exim-in[11238]: [4\42] P Received: from mail-ob0-f170.google.com ([209.85.214.170]:58038)
2012:07:06-11:30:39 ex01 exim-in[11238]: [5\42]  by smtp01.OURDOMAIN.COM with esmtps (TLSv1:RC4-SHA:128)
2012:07:06-11:30:39 ex01 exim-in[11238]: [6\42]  (Exim 4.76)
2012:07:06-11:30:39 ex01 exim-in[11238]: [7\42]  (envelope-from )
2012:07:06-11:30:39 ex01 exim-in[11238]: [8\42]  id 1SnBQU-0002vG-2A
2012:07:06-11:30:39 ex01 exim-in[11238]: [9\42]  for REMOVED@OURDOMAIN.COM; Fri, 06 Jul 2012 11:30:38 -0500
2012:07:06-11:30:39 ex01 exim-in[11238]: [10\42] P Received: by obfk16 with SMTP id k16so17637763obf.29
2012:07:06-11:30:39 ex01 exim-in[11238]: [11\42]         for ; Fri, 06 Jul 2012 09:30:38 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11238]: [12\42]   X-CTCH-RefID: str=0001.0A090203.4FF712AF.0011,ss=4,re=0.000,vtr=str,vl=0,fgs=0
2012:07:06-11:30:39 ex01 exim-in[11238]: [13\42]   X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
2012:07:06-11:30:39 ex01 exim-in[11238]: [14\42]         d=google.com; s=20120113;
2012:07:06-11:30:39 ex01 exim-in[11238]: [15\42]         h=from:content-type:subject[:D]ate:references:to:message-id
2012:07:06-11:30:39 ex01 exim-in[11238]: [16\42]          :mime-version:x-mailer:x-gm-message-state;
2012:07:06-11:30:39 ex01 exim-in[11238]: [17\42]         bh=HxqOdgnZ//S4tZxNBhU9EYZoDaBgWYsAWI0GxNx6P08=;
2012:07:06-11:30:39 ex01 exim-in[11238]: [18\42]         b=Bc3qaYMz8p1CL5PSx/XCwHZw/9C9qz7iGjWfMN5YCBkVr6xjfuLZrsSeaIgRRNJ5kl
2012:07:06-11:30:39 ex01 exim-in[11239]: 2012-07-06 11:30:39 1SnBQU-0002vH-2A id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="209.85.214.170" from="REMOVED@THEIRDOMAIN.COM" to="REMOVED@OURDOMAIN.COM" subject="Fwd: REMOVED partner paperwork to REMOVED 3 in Houston\342\200\246trying again" queueid="1SnBQU-0002vH-2A" size="148867" reason="as" extra="confirmed"
2012:07:06-11:30:39 ex01 exim-in[11239]: [1\42] 2012-07-06 11:30:39 1SnBQU-0002vH-2A H=mail-ob0-f170.google.com [209.85.214.170]:38291 F= rejected after DATA
2012:07:06-11:30:39 ex01 exim-in[11239]: [2\42] Envelope-from: 
2012:07:06-11:30:39 ex01 exim-in[11239]: [3\42] Envelope-to: 
2012:07:06-11:30:39 ex01 exim-in[11239]: [4\42] P Received: from mail-ob0-f170.google.com ([209.85.214.170]:38291)
2012:07:06-11:30:39 ex01 exim-in[11239]: [5\42]  by smtp01.OURDOMAIN.COM with esmtps (TLSv1:RC4-SHA:128)
2012:07:06-11:30:39 ex01 exim-in[11239]: [6\42]  (Exim 4.76)
2012:07:06-11:30:39 ex01 exim-in[11239]: [7\42]  (envelope-from )
2012:07:06-11:30:39 ex01 exim-in[11239]: [8\42]  id 1SnBQU-0002vH-2A
2012:07:06-11:30:39 ex01 exim-in[11239]: [9\42]  for REMOVED@OURDOMAIN.COM; Fri, 06 Jul 2012 11:30:38 -0500

2012:07:06-11:30:39 ex01 exim-in[11239]: [10\42] P Received: by obfk16 with SMTP id k16so17637764obf.29
2012:07:06-11:30:39 ex01 exim-in[11239]: [11\42]         for ; Fri, 06 Jul 2012 09:30:38 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11239]: [12\42]   X-CTCH-RefID: str=0001.0A090207.4FF712AF.001B,ss=4,re=0.000,vtr=str,vl=0,fgs=0
2012:07:06-11:30:39 ex01 exim-in[11239]: [13\42]   X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
2012:07:06-11:30:39 ex01 exim-in[11239]: [14\42]         d=google.com; s=20120113;
2012:07:06-11:30:39 ex01 exim-in[11239]: [15\42]         h=from:content-type:subject[:D]ate:references:to:message-id
2012:07:06-11:30:39 ex01 exim-in[11239]: [16\42]          :mime-version:x-mailer:x-gm-message-state;
2012:07:06-11:30:39 ex01 exim-in[11239]: [17\42]         bh=HxqOdgnZ//S4tZxNBhU9EYZoDaBgWYsAWI0GxNx6P08=;
2012:07:06-11:30:39 ex01 exim-in[11239]: [18\42]         b=DNQj96kI8tFHPtUw8LwXRpaJwX5aVZc6YFSiQkgQhvwRb+HzSWZsDUh0lc1c66w/ls
2012:07:06-11:30:39 ex01 exim-in[11239]: [19\42]          if/P42aG2a09oOSSOX0UpFZi2+d4YMOp9d6kbdCJR5zEaMYXIXas1WE1HurFcSx7HmqR
2012:07:06-11:30:39 ex01 exim-in[11239]: [20\42]          m2sVXukXs3DoEC12tqT+iI/9lW1wSKEAb9qtLA/WlOOsD4DdvZ5iH3zrHodfkAASKCNe
2012:07:06-11:30:39 ex01 exim-in[11239]: [21\42]          vWCGGXNi8mS6wDzvK5/Sb4wCz1SAO+7lO3TZD99e7oUWAApiloUVE8ic6HGmmuO8s3Jj
2012:07:06-11:30:39 ex01 exim-in[11239]: [22\42]          IYoKrTwjOJZ2ljrn7PuzIW3Y2ema33HYEOeUabcF6Bc4IbbnUuWPpfAAwX8/mKaHVnU8
2012:07:06-11:30:39 ex01 exim-in[11239]: [23\42]          15sw==
2012:07:06-11:30:39 ex01 exim-in[11239]: [24\42] P Received: by 10.182.17.8 with SMTP id k8mr11817667obd.25.1341592238183;
2012:07:06-11:30:39 ex01 exim-in[11239]: [25\42]         Fri, 06 Jul 2012 09:30:38 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11239]: [26\42] * Return-Path: 
2012:07:06-11:30:39 ex01 exim-in[11239]: [27\42] P Received: from [192.168.255.141] ([192.131.86.10])
2012:07:06-11:30:39 ex01 exim-in[11239]: [28\42]         by mx.google.com with ESMTPS id g8sm3438833obz.16.2012.07.06.09.30.36
2012:07:06-11:30:39 ex01 exim-in[11239]: [29\42]         (version=SSLv3 cipher=OTHER);
2012:07:06-11:30:39 ex01 exim-in[11239]: [30\42]         Fri, 06 Jul 2012 09:30:36 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11239]: [31\42] F From: REMOVED 
2012:07:06-11:30:39 ex01 exim-in[11239]: [32\42]   Content-Type: multipart/alternative; boundary="Apple-Mail=_A49C8B9D-85FD-46A9-9764-613E8E9841A9"
2012:07:06-11:30:39 ex01 exim-in[11239]: [33\42]   Subject: =?windows-1252?Q?Fwd=3A_REMOVED_partner_paperwork_to_REMOVED_3_in_H?=
2012:07:06-11:30:39 ex01 exim-in[11239]: [34\42]  =?windows-1252?Q?ouston=85trying_again?=
2012:07:06-11:30:39 ex01 exim-in[11239]: [35\42]   Date: Fri, 6 Jul 2012 11:25:15 -0500
2012:07:06-11:30:39 ex01 exim-in[11238]: [19\42]          zsXXeoJZpvv6qun5cxfKUd5hTqxE2sdLo12rF0+afu9uXv55LrTGTIHkicx3Tn4br6+O
2012:07:06-11:30:39 ex01 exim-in[11238]: [20\42]          IAK4LuO2ZU81nDauPSIDeN0XXWGI3EvIeCm4QM+tgZEsJdOkcz8HVG7tLP75hiaI6gpS
2012:07:06-11:30:39 ex01 exim-in[11238]: [21\42]          Hqu3RTpfn8BPUyO0N4YEUZh52a8bpDpEh/x/5/QlvmdjTncpPOXzvGttODApqyO/RLGd
2012:07:06-11:30:39 ex01 exim-in[11238]: [22\42]          pNibRnoyhs9THBk76rr00BoP0lUovcTz+ole/h2unOpw+kPmZJEzpFOlLNICK2EBvxZC
2012:07:06-11:30:39 ex01 exim-in[11238]: [23\42]          IXEg==
2012:07:06-11:30:39 ex01 exim-in[11238]: [24\42] P Received: by 10.182.17.8 with SMTP id k8mr11817667obd.25.1341592238183;
2012:07:06-11:30:39 ex01 exim-in[11238]: [25\42]         Fri, 06 Jul 2012 09:30:38 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11238]: [26\42] * Return-Path: 
2012:07:06-11:30:39 ex01 exim-in[11238]: [27\42] P Received: from [192.168.255.141] ([192.131.86.10])
2012:07:06-11:30:39 ex01 exim-in[11238]: [28\42]         by mx.google.com with ESMTPS id g8sm3438833obz.16.2012.07.06.09.30.36
2012:07:06-11:30:39 ex01 exim-in[11238]: [29\42]         (version=SSLv3 cipher=OTHER);
2012:07:06-11:30:39 ex01 exim-in[11238]: [30\42]         Fri, 06 Jul 2012 09:30:36 -0700 (PDT)
2012:07:06-11:30:39 ex01 exim-in[11238]: [31\42] F From: REMOVED 
2012:07:06-11:30:39 ex01 exim-in[11238]: [32\42]   Content-Type: multipart/alternative; boundary="Apple-Mail=_A49C8B9D-85FD-46A9-9764-613E8E9841A9"
2012:07:06-11:30:39 ex01 exim-in[11238]: [33\42]   Subject: =?windows-1252?Q?Fwd=3A_REMOVED_partner_paperwork_to_REMOVED_3_in_H?=
2012:07:06-11:30:39 ex01 exim-in[11238]: [34\42]  =?windows-1252?Q?ouston=85trying_again?=
2012:07:06-11:30:39 ex01 exim-in[11238]: [35\42]   Date: Fri, 6 Jul 2012 11:25:15 -0500
2012:07:06-11:30:39 ex01 exim-in[11238]: [36\42]   References: 
2012:07:06-11:30:39 ex01 exim-in[11238]: [37\42] T To: REMOVED ,
2012:07:06-11:30:39 ex01 exim-in[11238]: [38\42]  REMOVED@OURDOMAIN.COM
2012:07:06-11:30:39 ex01 exim-in[11238]: [39\42] I Message-Id: 
2012:07:06-11:30:39 ex01 exim-in[11238]: [40\42]   Mime-Version: 1.0 (Apple Message framework v1278)
2012:07:06-11:30:39 ex01 exim-in[11238]: [41\42]   X-Mailer: Apple Mail (2.1278)
2012:07:06-11:30:39 ex01 exim-in[11238]: [42/42]   X-Gm-Message-State: ALoCoQlHvwEUTNZb4l2w0OQPfECqQpIJtBDJD7S8fZnfIQ12AhU105gl33FY1RYzgaPvzrSfX5Rc
2012:07:06-11:30:39 ex01 exim-in[11238]: 2012-07-06 11:30:39 1SnBQU-0002vG-2A SMTP connection from mail-ob0-f170.google.com [209.85.214.170]:58038 closed by DROP in ACL
2012:07:06-11:30:39 ex01 exim-in[11239]: [36\42]   References: 
2012:07:06-11:30:39 ex01 exim-in[11239]: [37\42] T To: REMOVED ,
2012:07:06-11:30:39 ex01 exim-in[11239]: [38\42]  REMOVED@OURDOMAIN.COM
2012:07:06-11:30:39 ex01 exim-in[11239]: [39\42] I Message-Id: 
2012:07:06-11:30:39 ex01 exim-in[11239]: [40\42]   Mime-Version: 1.0 (Apple Message framework v1278)
2012:07:06-11:30:39 ex01 exim-in[11239]: [41\42]   X-Mailer: Apple Mail (2.1278)
2012:07:06-11:30:39 ex01 exim-in[11239]: [42/42]   X-Gm-Message-State: ALoCoQmmgidzhotkXNd4JD2sEs85GRXhbDQ0CBHu9qzusCkfU/1UjZfiWGFFeoXke78BFfABzByE
2012:07:06-11:30:39 ex01 exim-in[11239]: 2012-07-06 11:30:39 1SnBQU-0002vH-2A SMTP connection from mail-ob0-f170.google.com [209.85.214.170]:38291 closed by DROP in ACL

rejected after DATA

So, I think that means it got past the RBL testing and such.  There could have been a brief period where CommTouch thought that those IPs had bad reputations, but it seems more likly that the "pattern" of the header, including the originating IP, and content matched that of known spam.  I think that's what the RefID refers to in the following line:

2012:07:06-11:30:39 ex01 exim-in[11238]: 2012-07-06 11:30:39 1SnBQU-0002vG-2A ctasd reports 'Confirmed' RefID:str=0001.0A090203.4FF712AF.0011,ss=4,re=0.00 0,vtr=str,vl=0,fgs=0

If you know that the messages shouldn't have been rejected (a false positive), then this is a whole different kettle of fish!

Cheers - Bob

Yes, it's legitimate emails from a company that we haven't worked with before.  A couple from one of there employees came through, but all others from the other two senders at the company (coming from the same google servers) are still being blocked.  The only thing I can do is create an exemption for spam checking.  

I'd like to be able to tell them why, or how to fix on their side.

if they are using google servers then it's nothing they can fix on their end EXCEPT is one of their boxes is infected with something..which will trigger spam blocking.  I would have those affected users/machines checked and cleaned for malware.

I have had a couple of messages from aol email address that were legit mail but tagged as confirmed spam. In my case, the mail was a general FYI intended for multiple recipients in multiple companies.

no system is 100% effective..wish it was.  However sometimes a spammer uses one ip for a bit..then moves on..the reputation lists sometimes don't keep up..[:(]

I have a user querying why a mail which was sent to two people in the office was rejected by the spam filter for one user.  The relevant log line is this:

to="***@***" subject="redacted" queueid="1TaImc-0003lY-M3" size="578" reason="as" extra=""

Any place to find an explanation of this?

Thanks