I have had an issue appear over the last week or so with High utilization.  In particular one email was coming from a large organization to 3 users within our system.   The message kept resending every few hours, and constantly brought the box to its knees.  I tried black listing and white listing the user to kill the message, to no avail.  Finally, with some help from another co-worker, we added the users email address to the Blacklist FROM list, and added the ::null command to keep the system from processing the message.

After coming in this morning, another user from the same company was bulk mailing the same 3 users in our company, and it was locking up the Spamfilter.  For some reason the message had made it through the system a couple of times, and since one of the users on the "to" field didn't exist, the message went to the administrator.  What we finally realized was that the size of the message (1 meg), was not due to an attachment, it was due to an unusual large quantity of email addresses in the "TO" field. The actual message was a very small.

Besides the fact the user sending a message to 1 meg of users in the "TO" field is due to the sender being an IDIOT.  This is a bit of a bug with spamfilter, and I suspect this has been a source of issues I have had with messages that seemed to constantly resending into the system (I had one message from a supplier come to me 24+ times, it just seemed to get stuck and resend  constantly. It finally failed and gave up delivering the message from the source system).  

Has anybody else run into this?

Is there anyway to turf a message that has an unusual quantity of emails in the "TO" field. I realize I can limit the number messages coming into internal users,  however it might be good to block messages that contain an unusual number of non-company addresses.  Most professional mailing lists do NOT put all of their customers addresses in the "TO" field, they use a list server or blind copy the message.

Is there a work around to keep it from killing my Mail gateway?

We are running the latest version   2.7.1.515   I upgraded last week when this particular problem seemed to appeared.

Unfortunately, The sample message got deleted.   Thanks to a helpful assistant.

As I mentioned, the problem seems to be related to the fact the customer had about 1 meg worth of addresses in the TO field.  Only 3 addresses were ours.  Last week, the message that was freezing up the system was from a different user at the same site.  I never got a sample of the message; however the total message size was about 500k.  I had assumed the message had a large attachment, however from what I have seen this morning, it likely had a huge quantity of Email addresses in the TO field, which caused the same Issue as I had this morning.

As I was replying to this, the same email was hitting the gateway.  It drove the utilization to the max showing the message in the PROCESSING state, and brought the box to a grind again.  I had to restart the spamfilter service to get things going.  When I check the log after restarting, the messages were REJECTED.  I can only hope that like last week, once the message was REJECTED, the sending system stopped trying to deliver it.

Ahh, I went into the temp directory and found the message, along with the one from last week.  Due to security concerns, can you contact me directly at my email address.   I will then forward the samples to you.  (The user has emailed their Company Directory in the "TO" field, our 3 users appear about halfway down the list).