Symantec Messaging Gateway (SMG) is rejecting mail with a verdict of "System denied IP".
The IP address of the sender's Message Transfer Agent (MTA) may belong to either the Global Bad Senders list or the Local Bad Sender IPs list.
Your SMG MTA firewall did not defer the connection.
The "static-firewall-backup" policy detects messages that should be rejected by the SMG MTA and bounces the message to the sender with an appropriate response.
This behavior is normal when:
The filtering engine determines that the message needs to be accepted in order to establish the logical connection address
Queued message has the connection IP added to one of the Bad Senders lists after it was queued, but before it is processed by the spam filters.
IP address of message was removed
Alternately, a message may be filtered by one of the blocked IP lists but the IP was removed before the IP was checked via the IP Reputation Lookup page. In this case, the verdict will show "System denied IP" but no entry will appear in any Bad Sender lists.
Please note that Symantec Messaging Gateway (SMG) parses all the IPs in the received headers of message for an offending IP address to match against the Local Bad Sender IPs list even if the Connecting IP is not in the Symantec Global Bad Senders list.
As indicated above, the IP address that was matched to a list may not be the connecting IP address shown in the Message Audit Log entry and a packet capture may need to be performed to obtain the full message headers. You should then be able to find the IP address that is being matched to the Bad Sender's list.