Legitimate emails are blocked by the Symantec Email Security.cloud service.

• Track and Trace logs show the Reason as "Brightmail" or "filtered by Signaturing System".
• Extended logging or support analysis indicates "Matched rule 107".
• The email receives a spam verdict even if it does not contain typical spam content.

• Symantec Email Security.cloud
• Anti-Spam Service

This behaviour is by design to protect the infrastructure from malformed messages or potential denial-of-service attempts. The Email Security.cloud service (and the underlying Brightmail engine) imposes a limit on the total length of the email headers. If the combined length of all headers exceeds 42,768 characters, the message is automatically assigned a spam disposition via Rule 107.

Common triggers for large headers include:

• A very high number of recipients in the To: or Cc: fields.
• Excessive diagnostic or "References" headers added by previous mail hops or cloud services (e.g., Office 365, internal journaling).
• Detailed routing information or large custom X- headers.

To resolve this issue, the sender must reduce the header size to below the 42,768-character limit.

Recommended Workarounds:

1. Use Distribution Lists: Instead of listing hundreds of individual recipients, use a distribution list. This keeps the To: header small as it only contains the list's address.
2. Split the Message: Divide recipients into multiple emails to keep recipient headers within limits.
3. Address External Headers: If headers are expanded by intermediate services (such as Office 365 adding untrusted headers), work with your mail administrator to strip unnecessary headers before mail reaches the Symantec Email Security.cloud.
   • See also: Removing untrusted header applied by Office 365 - AntiSpam False Positive
4. Whitelisting (Workaround): Adding the sender's domain or IP address to the Approved Senders list in ClientNet can bypass the Anti-Spam check, allowing these specific messages to pass through. However, this is a workaround and does not address the underlying issue of the malformed header.