sorry forgot to add system information.

We are using SBG 9.0.2 with Exchange 2007 SP1.

You have not misconfigured anything. This means that the person who sent you the message was using a client that is not RFC compliant. We do this detection as you see to prevent spammers from getting their spam by our scanners. If they make the message in haphazard way we won't be able to scan the content and it will get through to your users.

Unfortunately there is not much you can do in this situation aside from allowing the malformed messages or lowering the sensitivity to malformed messages.

Thank your for your response, I will pass along the information to the users. One quick question, if we are having an issue with a particular sender that we know is valid would adding them to the good senders list bypass the scanning for that particular sender or will they still be subject to this check ?

I thnk you have also hit on one of the key points about the unscannable verdict - it does not mean that the message wasn't also checked for spam and virus contents.  The unscannable verdict simply means that Symantec can not ensure the message has been fully scanned due to malformed MIME, scanning time-out, or other issue.  Some customers choose to deliver unscannable verdicts normally (Symantec will still attempt spam and virus scans on the message), and you can also choose other options such as marking up the subject as a warning.

Quick workaround here is to create a policy to not scan attached files that are classified as document files. The only drawback here is that you're allowing malware using those types of file extenstions to passthrough so you better have a good AV in the endpoints. :D

Thanks for the responses, for now we have allowed unscannable messages to be delivered with the subject line appended with a warning. The number seems a bit high ~ 300 a day but may be normal not sure yet as we have only been using brightmail for a month or so.

One question that did come up, is there a way to forward the message to an admin mailbox or another quarantine with with the attachments still available but deliver the message stripped of attachments to the user or their spam quarantine ? I tried configuring this by creating a forward rule to another mailbox and then stripping the attachments but it seems like it will perform the strip prior to the forwarding. The only reason we were investigating this was so we could strip the attachments but if the user needed them and they were legitimate we could retrieve them.