The misleading error message was actually caused by the fact that the blacklisted client was actually *able to establish a TCP connection* to the server, but when established, the connection was closed. To the client, this really looks like it's not connecting to an SSH/SFTP server at all... Perhaps adding "and check your firewall settings" to the error message would make it more clear?