Hi Neal. I do not know why the rule did not work. Hopefully ST will chime in here and give an answer.

 

I wanted to let you know that we offer a program called Declude which works very well with SM and it's 100% FREE of charge. Declude includes a program called Hijack which will prevent mass amounts of spam email from leaving your server in the event of a compromised account or service. It's super easy to set up and configure. I thought I should mention it since you said you had a compromised service which caused thousands of emails to be sent. If you have any questions, please let me know and I will be happy to help you. You can download Declude from the following link if you would like to have the extra layer of Hijack protection: http://mailsbestfriend.com/downloads/. I hope this helps. Thanks!

Hello Neal,

 

Were these messages sent from an account on the server to other accounts on the server? The name may be a bit confusing as it does say internal but our help docs do state that the internal spammer rule only applies to external deliveries.

I did do a test locally of a rule set to notify at 50 messages within 5 minutes and it did notify me as expected.