Re: 5.x.0 - Message bounced by administrator ('000', [])

paraman · ‎02-05-2018

Hello.
I use:
Product: Cisco IronPort C370 Messaging Gateway (tm) Appliance
Model: C370
Version: 11.0.1-027
Build Date: 2017-11-07
Install Date: 2018-02-05 11:08:47
BIOS: 2.2.17
RAID: 1.21.02-0528, 2.01.00, 1.02-014B
RAID Status: Optimal
RAID Type: 1
BMC: 1.85

Help. I receive some messages in mail_logs:
Mon Feb 5 11:37:17 2018 Info: Bounced: DCID 0 MID 29695034 From: <support @ *. Ru> To: <adminreg @ *. Ru> RID 0 - 5.x.0 - Message bounced by administrator (' 000 ', [])
Mon Feb 5 11:37:17 2018 Info: Bounced: DCID 0 MID 29695034 From: <support @ *. Ru> To: <sysadmin @ *. Ru> RID 1 - 5.x.0 - Message bounced by administrator (' 000 ', [])

Here is the full log:

Mon Feb 5 11:37:16 2018 Info: Start MID 29695034 ICID 45894916
Mon Feb 5 11:37:16 2018 Info: MID 29695034 ICID 45894916 From: <support @ *. Ru>
Mon Feb 5 11:37:16 2018 Info: MID 29695034 ICID 45894916 RID 0 To: <adminreg @ *. Ru>
Mon Feb 5 11:37:16 2018 Info: MID 29695034 ICID 45894916 RID 1 To: <sysadmin @ *. Ru>
Mon Feb 5 11:37:17 2018 Info: MID 29695034 using engine: SPF Verdict Cache using cached verdict
Mon Feb 5 11:37:17 2018 Info: MID 29695034 SPF: helo identity postmaster @ relay. * .ru None
Mon Feb 5 11:37:17 2018 Info: MID 29695034 using engine: SPF Verdict Cache using cached verdict
Mon Feb 5 11:37:17 2018 Info: MID 29695034 SPF: mailfrom identity support@*.ru Pass (v = spf1)
Mon Feb 5 11:37:17 2018 Info: MID 29695034 using engine: SPF Verdict Cache using cached verdict
Mon Feb 5 11:37:17 2018 Info: MID 29695034 SPF: pra identity support@*.ru None headers from
Mon Feb 5 11:37:17 2018 Info: MID 29695034 Message-ID '<8f81bfc3cc8441729d26ce3ee1d38051@mb01.corp.*.ru>'
Mon Feb 5 11:37:17 2018 Info: MID 29695034 Subject '=? Windows-1251? B? UkU6IDE4NjA2MSAoz8 / QKSDn4P / i6uAg7eAg8uX17 + 7k5OXw5urzOiBG? = \ R \ n =? Windows-1251? B? Vzogx + Dv8O7xIOIg8uX17ej35fHq8 / 4g8evz5uHzOsPu8fPx6 / Pj6A ==? = '
Mon Feb 5 11:37:17 2018 Info: MID 29695034 ready 42277 bytes from <support @ *. Ru>
Mon Feb 5 11:37:17 2018 Info: MID 29695034 matched all recipients for per-recipient policy DEFAULT in the inbound table
Mon Feb 5 11:37:17 2018 Info: MID 29695034 interim verdict using engine: CASE spam positive
Mon Feb 5 11:37:17 2018 Info: MID 29695034 using engine: CASE spam positive
Mon Feb 5 11:37:17 2018 Info: Bounced: DCID 0 MID 29695034 to RID 0 - Bounced by destination server with response: 5.x.0 - Message bounced by administrator ('000', [])
Mon Feb 5 11:37:17 2018 Info: MID 29695035 was generated for bounce of MID 29695034
Mon Feb 5 11:37:17 2018 Info: Bounced: DCID 0 MID 29695034 to RID 1 - Bounced by destination server with response: 5.x.0 - Message bounced by administrator ('000', [])
Mon Feb 5 11:37:17 2018 Info: MID 29695036 was generated for bounce of MID 29695034
Mon Feb 5 11:37:17 2018 Info: Message finished MID 29695034 done
Mon Feb 5 11:37:17 2018 Info: Message aborted MID 29695034 Bounced by CASE

I can not understand the reasons for this behavior. What can I do to get the letters to come or how to eliminate this rebound?

Libin Varghese · ‎02-05-2018

Based on the logs provided it appears the email was bounced by the anti-spam engine configuration. The ESA marked the email positive for spam based on its global rules and performed the action configured.

This is configured under Mail Policies -> Incoming Mail Policies -> Default -> Anti-Spam -> Positively-Identified Spam Settings

To bypass anti-spam scanning for the sending domain you can create a separate incoming mail policy for the domain and turn off anti-spam check for them.

If you feed the email is being incorrectly marked as spam you can submit the email sample to ham@access.ironport.com or using one of the other methods explained in the below article.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Regards,

Libin Varghese