Symantec Messaging Gateway (SMG) is rejecting mail with a verdict of "System denied IP".
Messaging Gateway
This behavior is normal when:
Alternately, a message may be filtered by one of the blocked IP lists but the IP was removed before the IP was checked via the IP Reputation Lookup page. In this case, the verdict will show "System denied IP" but no entry will appear in any Bad Sender lists.
Please note that Symantec Messaging Gateway (SMG) parses all the IPs in the received headers of message for an offending IP address to match against the Local Bad Sender IPs list even if the Connecting IP is not in the Symantec Global Bad Senders list.
As indicated above, the IP address that was matched to a list may not be the connecting IP address shown in the Message Audit Log entry and a packet capture may need to be performed to obtain the full message headers. You should then be able to find the IP address that is being matched to the Bad Sender's list.
If you believe that an IP has been erroneously listed in the Global Bad Sender list you can request that the IP be reviewed via the https://ipremoval.sms.symantec.com/lookup/ page.