This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[solved] What does rejected after DATA mean? Additional RBL questions

Hi there,

a customer has been unable to receive messages from various sender addresses. The permanent bounce message was 550 Administrative prohibition. It turned out that the target ip address has been blacklisted on the Commtouch IP Reputation (cyren.org) list.


Here are some additional question:

a) What does rejected after DATA mean?
b) Does reason="as" stand for the UTM Antispam tab?
c) We noticed that the RBL IP reputation check is not only performed against sender but also against the Routing Target (Domains Target). Can someone confirm this behavior as well?


Here's the logfile exerpt:

2017:05:20-00:59:39 utm9 exim-in[13754]: 2017-05-20 00:59:39 [XXX.XXX.XXX.XX] F=<sender@mail.com> R=<receiver@mail.com> Verifying recipient address with callout
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O DKIM: d=domain.com s=mail c=simple/simple a=rsa-sha256 [verification succeeded]
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O ctasd reports 'Confirmed' RefID:str=0001.0A0C0208.591F78DC.0079,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
2017:05:20-00:59:40 utm9 exim-in[13754]: 2017-05-20 00:59:40 1dBqrz-0003Zq-2O id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="XXX.XXX.XXX.XX" from="info@domain.com" to="receiver@mail.com" subject="[Ticket #3471] WG: Mail delivery failed: returning message to sender" queueid="1dBqrz-0003Zq-2O" size="727967" reason="as" extra="confirmed"
2017:05:20-00:59:40 utm9 exim-in[13754]: [1\39] 2017-05-20 00:59:40 1dBqrz-0003Zq-2O H=mail1.domain.com [XXX.XXX.XXX.XX]:49699 F=<receiver@mail.com> rejected after DATA
2017:05:20-00:59:40 utm9 exim-in[13754]: [2\39] Envelope-from: <sender@mail.com>



This thread was automatically locked due to age.
  • Thank you for replies.

    "For the sake of this one message source you are going to let spam into your network?"

    Of course not.

    "What has the sender done to fix his reputation?"

    They have been pretty lazy. Their IT Department started to check their workstations for antivirus and malware. This should have been done way earlier! I am pretty sure that one of their workstations got infected and that is why they ended up on a blacklists. I don’t know how long they have been blacklisted.

    "Is either the mail server or the mail domain in the .tk country code?"

    no .tk TPL is used.


    "Are there any links in the email? "

    Yes, most of the messages including signatures with urls. One thing I have noticed is that messages got rejected usually on replies. Totally agree with Bob’s point on the content block. For now I am going to mark this thread as solved. Thank you for your support!