Email Message Size Limits – The Update

The Microsoft Exchange team wrote a blog back in 2006 summarizing the need to email message limits.
Email size limits help protect you against denial of service attacks. Intentional or not Internal sender or external, a large message can consume all available resources. The problem can be aggravated by Antivirus for Exchange. It only has so many processes and a traffic jam can occur while its trying to deal with this massive file.

Outbound messages may not even reach their destination. The public mail servers like Yahoo, Gmail and Hotmail limit their message size to 10-25 MB. Many companies protect themselves by putting these limits in place as well.
I dont think its too old school to say its bad netiquette to send large email messages.

Alternative methods like file servers and sharepoint are good internally. Externally companies need to be providing easy to use file transfer services. Otherwise users will end up using potentially insecure third party transfer websites like YouSendIt or even god forbid P2P.

When I wrote about message limits in October of 2006, I was hoping that we would end up with a 50 MB message limit at the mail gateway but guessed that we would end up with a 100 MB limit. Instead we ended up with a ludicrous 500 MB limit. As Microsoft says an outrageously large limit (to quiet the restless natives) is the same as the lack of mailbox and message size limits.

The high limits (and no limit internally) have caused multiple performance issues affecting availability this year. Management is now willing to put a (still really high) 50 MB on messages sent via Outlook, but they are not willing to put a better limit on incoming email. We’ve produced statistics showing the low number of messages that would be blocked. At a certain point you just document that management has accepted this risk.

As I finish writing this, I see the new Hotmail allows up to 200 50 MB attachments on a single email message. Still hard to attach a > 51 MB attachment. But this doesn’t actually change my point. This limit isn’t because of how I think the Internet should work. Its a technology limitation. Perhaps Exchange 2010 wont fall to its knees with a 100 MB message. Even so with no guarantee of the recipients server capabilities, I think its better to keep limits imposed.

One Comment

  1. I agree with the comment “document that management has accepted this risk”. What we’ve done in many cases is to formally document the risk in a “threat risk assessment” and then put it in front of management for a signature. This is the only true way to get their attention and find out if they really are willing to “accept the risk” by placing a signature on the TRA. Quite often they finally “see the light” and authorize the appropriate controls to further mitigate the risk.

Comments are closed.