First thing to check is the reputation of the ip address that shows up in the "logical IP" field in the MAL record.
When receiving emails, SMG will walk backward through the received headers, skipping over any "internal" IP addresses. If it finds a "bad" IP address, your IP reputation policy will fire.
"internal" IP addresses, from a processing perspective, are any IPs that are configured in your "internal range" settings.
IF the SMG is "at the edge", then "connecting IP" = "logical IP" -> used for reputation/filtering.
IF the SMG is NOT on the edge, then, "connecting IP" != "logical IP" and the logical IP -> used for reputation/filtering.
Net: "Looks" like the "logical IP" for this message is on either a global or local reputation list.
IF you don't find what you are looking for, open a support case and make sure you provide an un-obscured copy of your MAL (that tracker can be decoded by support) and your bmiconfig.xml.
Original Message:
Sent: 11-01-2021 11:00 AM
From: Trusted Computer
Subject: Verdict: User Reject, Action: Delete Message
Not sure why you can't see it. Can you see this link, "view attached"?
view attached
Original Message:
Sent: 10-27-2021 04:25 PM
From: Trusted Computer
Subject: Verdict: User Reject, Action: Delete Message
I am investigating an email that wasn't delivered. The message audit log shows Verdict: User Reject, Action: Delete Message.
The user account has no entries in "Bad Senders" and there are no policies that are part of any enabled policy groups (just the default in this case) with this action. What else should I be investigating here?