Hello Heimir, 

The IDS rule "Internal Spammer" is triggered off of the number of emails being sent out of SmarterMail per user. Since the trigger from webmail there is no associated IP. 

"Enabling this rule in SmarterMail will block or quarantine an account from sending mail, as well as alert an administrator, whenever multiple emails from a single sender are delivered externally from the server during a specified time frame."

If a user ( in webmail ) sends out more then XXX emails in XXX minutes then the account is blocked from sending more messages for XXX minutes. 

I hope this helps clear things up. 

Thank you

Tony

That is very helpful.

Thank you for the great response..

So at this moment I have several that shows up under IDS but I dont have a rule that reads Internal spammer.

I see its an option but I dont have created one.  

When I look under user activity I dont see the IP addresses listed by internal spammer.

So how do I find out whats going on since none of the IP addresses listed as internal spammers does not show up in the log files?
I feel like Im missing the obvious.

I'm seeing the same thing with SM Version 8125.  No Internal Spammer Rule and cannot find the IP Addresses in any log.  SMTP and Delivery Logs are set to "detailed".

I do have a "Default SMTP Password Brute Force strict rule" setup and every Internal Spammer violation has a corresponding SMTP Brute Force Violation at the same time.

I have the same symptoms - one Internal Spammer "Delivery" block for almost every SMTP block.  I have opened a ticket for clarification, but apparently the change in behavior is related to this release notes entry:

Build 8083 (Feb 17, 2022)
Fixed: Internal Spammer IDS actions (Quarantine and Block) do not appear on the IDS Blocks page or in Administrative logs. 

So maybe the behavior has always been there, but invisibly, and now it is visible.

+1

I'm getting internal spammer after updating to 8125 from 8055.  I skipped both 8083 and 8097.

I have determined that the SMTP IDS blocks appear in the SMTPlog file, and the Delivery IDS blocks appear in the Administrative log file.    I can tell that both types are triggered by the same IDS rule because of the duration of the resulting block rules.  Support confirms that it is a bug.  For my situation, it is a surprise but no harm done.

Any update on this?  In case it is helpful in tracking down, I've noticed that if I make a change to the "SMTP Password Brute Force by Protocol" setting, it almost always results in all items listed as SMTP Password Brute Force by Protocol being added to the Delivery Internal Spammer IDS area.  But lots of things can show up in the Internal Spammer area without making such a change, too.