Some messages that are not spam receive a spam verdict when sent through a Symantec Messaging Gateway (formerly known as Symantec Brightmail Gateway) appliance.

The Message Audit Log (MAL) will show a spam verdict. There will be a log entry, similar to the one shown below, in bmserver_log at NOTICE level:

2017-04-16T19:15:47-07:00 (NOTICE:24562.2819054512): [11013] bltModEndMessage: (regex filter) headers length 33932 > max allowed 42768, returning spam disposition.

This behavior is by design.  Messages with combined length of all the headers exceeding 42768 characters will receive a spam verdict.

A common cause for large headers is the number of message recipients. To reduce the size of the message headers, limit the number of recipients of the message so that the total header size is less than 42768 characters.  This can occur also for outgoing e-mail sent from within to large banks of recipients.

Three solutions that can counteract the same problem affecting outbound messages are as follows.

1. Divide the recipients into separate messages.
2. White-list the senders (this bypasses outbound spam detection)
3. Use a distribution list instead of massive amounts of individual address's. A distribution list will not add all of the intended recipients to the header. This could be the most convenient solution.