[solved] What does rejected after DATA mean? Additional RBL questions

Question

Hi there,

a customer has been unable to receive messages from various sender addresses. The permanent bounce message was 550 Administrative prohibition. It turned out that the target ip address has been blacklisted on the Commtouch IP Reputation (cyren.org) list.

Here are some additional question:

a) What does rejected after DATA mean?
b) Does reason="as" stand for the UTM Antispam tab?
c) We noticed that the RBL IP reputation check is not only performed against sender but also against the Routing Target (Domains Target). Can someone confirm this behavior as well?

Here's the logfile exerpt:

2017:05:20-00:59:39 utm9 exim-in[13754]: 2017-05-20 00:59:39 [XXX.XXX.XXX.XX] F=<sender@mail.com> R=<receiver@mail.com> Verifying recipient address with callout
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O DKIM: d=domain.com s=mail c=simple/simple a=rsa-sha256 [verification succeeded]
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O ctasd reports 'Confirmed' RefID:str=0001.0A0C0208.591F78DC.0079,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="XXX.XXX.XXX.XX" from="info@domain.com" to="receiver@mail.com" subject="[Ticket #3471] WG: Mail delivery failed: returning message to sender" queueid="1dBqrz-0003Zq-2O" size="727967" reason="as" extra="confirmed"
2017:05:20-00:59:40 utm9 exim-in[13754]: [1\39] 2017-05-20 00:59:40 1dBqrz-0003Zq-2O H=mail1.domain.com [XXX.XXX.XXX.XX]:49699 F=<receiver@mail.com> rejected after DATA
2017:05:20-00:59:40 utm9 exim-in[13754]: [2\39] Envelope-from: <sender@mail.com>

This thread was automatically locked due to age.

DouglasFoster · Accepted Answer

I believe rhat the RFC specifies that the receiver can only blick the message at two points in the session - either 
 1) after the helo, when it only knows source ip, target address and supposed sender. 
 Or 
 2) after the whole message is accepted. ( after data = whole message) 
 The rbl check was apparently not announced until after the whole message was received. 
 It is the sender's job to get himself off the blacklist, if the message is legitimate.

BAlfson · Answer

a) Like Doug said. 
 b) Yes. 
 c) I don't understand. There's nothing in the lines you showed us that indicate that. 
 ctasd reports 'Confirmed' RefID:str=0001.0A0C0208.591F78DC.0079,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8 
 From this, I don't see a reputation-based rejection, rather, a content-based rejection. 
 Cheers - Bob

BAlfson · Answer

"I assumed that Sophos also scans all ip address within the mailheader. The mail header included the blacklisted ip address." 
 That's not the case. The only IP checked in RBLs is the IP of the MTA asking us to accept an email from it. If the email had been rejected for being in an RBL, you would see a line like the following: 
 2017:05:24-13:31:43 secure exim-in[13600]: 2017-05-24 13:31:43 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="216.146.33.134" from="bounces+user=domain.com@dynect-mailer.net" to= user@domain.com size="-1" reason="rbl" extra="bl.spamcop.net" 
 And, that occurs almost immediately - before the DATA command is accepted. 
 Cheers - Bob

eyos · Answer

Thank you for replies. 
 "For the sake of this one message source you are going to let spam into your network?" 
 Of course not. 
 "What has the sender done to fix his reputation?" 
 They have been pretty lazy. Their IT Department started to check their workstations for antivirus and malware. This should have been done way earlier! I am pretty sure that one of their workstations got infected and that is why they ended up on a blacklists. I don&rsquo;t know how long they have been blacklisted. 
 "Is either the mail server or the mail domain in the .tk country code?" 
 no .tk TPL is used. 
 "Are there any links in the email? " 
 Yes, most of the messages including signatures with urls. One thing I have noticed is that messages got rejected usually on replies. Totally agree with Bob&rsquo;s point on the content block. For now I am going to mark this thread as solved. Thank you for your support!