Yesterday I found the following messages in /var/log/maillog:

Jan 27 11:35:46 foo sendmail[214]: rejecting connections on daemon IPv4: load average:22
Jan 27 11:35:46 foo sendmail[214]: rejecting connections on daemon MSA: load average:22

The above messages are repeated in every 15 seconds, meanwhile there were virtually no visible mail traffic for one hour. I think it can be mydoom overloading our mailserver.

However, from the above log lines, I expected that there should be hundreds of connection attempts to port 25 of our firewall, where the mailserver listens.
But I was wrong: to my surpise, there were hardly any IP addresses sending syn packages to port 25 of our firewall during that 60 minutes-lasting mail service interrupt.

How is this possible?
How could our mailserver complain about excessive load, meanwhile I cannot see hardly any connection requests to port 25 from the outside?
If it was from the inside, why did it stop after one hour? (Users keep their computers on whole day)

There was probably a very hung process somewhere chewing on something really big (a huge mail queue?). Did you try running top?

No, I could not, as I only noticed this problem later, when it was over.
Now I monitor port 25 of the mailserver by tcpdump, waiting for this thing to happen again.

However, you may be right that the problem may have been caused by an excessive system load. One user started a file search on that server 2 minutes before the problem occured, and she complained of the search taking much too long time (file search util: apache + php). Maybe my file search script is buggy or eats up resources? I hope not.