cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

2512
Views
0
Helpful
1
Replies
kyerramr
Beginner

Yahoo IP's with Low SBRS and Mail delays

Hello,

Cisco IronPort has seen an increase in spam and other unwanted emails originating  from IP addresses registered with and belonging to Yahoo! This spam originates mainly from Yahoo! Mail and Yahoo! Groups email addresses. This increase in spam has been reported by our customers through end user complaints as well as an increase in spam trap reports. The result has been a drop in the reputation of up to 5% of Yahoo’s IPs from good to the neutral range (between -2 and +1).

Cisco IronPort recommends that ESA customers throttle incoming connections from IPs with a neutral reputation score once the maximum number of connections has been reached. This results in Yahoo! IPs being throttled with the comment “Too many connections this hour”.  Several customers have complained about not receiving emails from Yahoo! based not on Cisco IronPort intentionally blocking  Yahoo’s IPs, but instead providing a reputation score based on the complaints we have seen and the threat of missed spam to our customers globally.

How can I avoid throttling Yahoo mail?

Cisco IronPort Email Security Appliance can be configured to not throttle mail by creating custom mail flow policies and sender groups for Yahoo domain mail servers (.yahoo.com).

More information on how to create custom mail flow policies and sender groups can be found in Cisco IronPort Email Security Appliance - Configuration guide (The Host Access Table (HAT): Sender Groups and Mail Flow Policies): http://www.cisco.com/web/ironport/index.html

Note: Accepting mail from domains or mail servers with low Senderbase reputation may lead to increase in missed Spam and potentially cause performance issues.

What steps has Cisco taken to help with this issue?

We have been communicating with the appropriate contacts at Yahoo! regarding their outbound mail issue and we have been assured that they’re working on it. Cisco IronPort has been providing Yahoo! with reports and any information that could help Yahoo! get to the bottom of this. While Yahoo! has told us that they are aware of this and are working on it, we do not have the specific details of steps Yahoo! has taken. We will continue to work with Yahoo! to help them resolve this issue.

Cisco IronPort has been actively updating rules numerous times a day against spam received from Yahoo! This should help against some of the missed spam issue if the customers were to take steps to accept all emails from Yahoo! and run IronPort AntiSpam on them. We request that customers continue to submit spam messages to spam@access.ironport.com or use one of our plugins (MS Outlook or Lotus Notes) to report these missed spam emails.

Best Regards,
Cisco IronPort Customer Support
1 REPLY 1
exMSW4319
Participant

I'm very interested in this as (a) we do have a small but ongoing spam issue from all of the major freemailers including Yahoo, and (b) the posting specifically names an organisation. I didn't know if this was a major taboo on the forum as in some cases it can invite all sorts of legal problems. If there are any general guidelines for posting that I've missed then please point them out.

Regards freemailers in general and the latest Yahoo issue in particular, is the problem mainly sweatshop spam or are the mails being automatically generated? Do they pass through the organisation's "official" MTA (if there is one) or are they simply emerging from some assigned IP that happens to be port 25-enabled?

I ask from the point of view of doing something via header parsing if possible, though I admit that that's hardly following the "customer hands-off" ethos of appliance ownership.

In either case thanks for the heads-up; I'm off to check my logs now.

Create
Recognize Your Peers
Content for Community-Ad