Symantec Messaging Gateway (SMG) is rejecting mail with a verdict of "System denied IP".
Messaging Gateway
The IP address of the sender's email server may be on one or more of the following reputation services but the Action set to reject the connection:
By default, IP based filtering services take the Reject the connection action but, if the action is changed to something that requires Messaging Gateway to accept the message, Messaging Gateway will note that an IP matched one of the reputation lists in the audit logs before passing the message on to other filtering services for scanning rather than take the default action of rejecting the connection entirely.
Usually IP based reputation filtering only operates on the connecting IP but, if the action is not set to Reject or Defer the connection, all IP addresses in the message's Received headers will be tested against IP reputation services which are no longer operating at SMTP network connection time.
This behavior is normal when:
Alternately, a message may be filtered by one of the blocked IP lists but the IP was removed before the IP was checked via the IP Reputation Lookup page. In this case, the verdict will show "System denied IP" but no entry will appear in any Bad Sender lists.
If you believe that an IP has been erroneously listed in the Global Bad Sender list you can request that the IP be reviewed via the https://ipremoval.sms.symantec.com/lookup/ page.