9.6.0-049 (previous official release). I keep them updated as they are released to the general public. I already have a TAC case open. I was more wondering if something changed fundamentally with the SPAM scanning engines or the rules. I download the rules often when I see they are out of date even though they are set to download and apply every hour.

No, nothing changed - usually it wouldn't change between two minor revisions. I would suspect something went wrong with your rulesets - I'm just speculating here, you should really talk to TAC and potentially ask for escalation to an Escalation Engineer.

Normally I would agree with you except I already have a TAC case open and went through the SPAM ruleset and no issues were found.

What seems to be fixing the issue is changing the 80/40 (Positively/Suspect) to 70/30 but its a pain to do for every client (over hundreds) on two clusters with the wonderful speed of the GUI (web frontend) taking 5 minutes to open each client.

That's definitely not normal behavior - make sure you get it thoroughly investigated and escalated as necessary. Reach out to your Cisco Security Consulting Systems Engineer for advice and monitoring of the ticket.

Thanks for your patience :)

Will do, thanks for the replies and taking the time to answer!

:)

I figured what the heck, and escalated the TAC case 

TAC escalation did indeed find the SPAM CORE definitions were not in date EVEN though they show current in the GUI. Apparently they broke at point of upgrade and never actually applied since the upgrade even though they were going out to Cisco's site and pulling them down.

Thanks Cisco, another great job on your software!