Cisco IronPort has seen an increase in spam and other unwanted emails originating from IP addresses registered with and belonging to Yahoo! This spam originates mainly from Yahoo! Mail and Yahoo! Groups email addresses. This increase in spam has been reported by our customers through end user complaints as well as an increase in spam trap reports. The result has been a drop in the reputation of up to 5% of Yahoo’s IPs from good to the neutral range (between -2 and +1).
Cisco IronPort recommends that ESA customers throttle incoming connections from IPs with a neutral reputation score once the maximum number of connections has been reached. This results in Yahoo! IPs being throttled with the comment “Too many connections this hour”. Several customers have complained about not receiving emails from Yahoo! based not on Cisco IronPort intentionally blocking Yahoo’s IPs, but instead providing a reputation score based on the complaints we have seen and the threat of missed spam to our customers globally.
How can I avoid throttling Yahoo mail?
Cisco IronPort Email Security Appliance can be configured to not throttle mail by creating custom mail flow policies and sender groups for Yahoo domain mail servers (.yahoo.com).
More information on how to create custom mail flow policies and sender groups can be found in Cisco IronPort Email Security Appliance - Configuration guide (The Host Access Table (HAT): Sender Groups and Mail Flow Policies): http://www.cisco.com/web/ironport/index.html
Note: Accepting mail from domains or mail servers with low Senderbase reputation may lead to increase in missed Spam and potentially cause performance issues.
What steps has Cisco taken to help with this issue?
We have been communicating with the appropriate contacts at Yahoo! regarding their outbound mail issue and we have been assured that they’re working on it. Cisco IronPort has been providing Yahoo! with reports and any information that could help Yahoo! get to the bottom of this. While Yahoo! has told us that they are aware of this and are working on it, we do not have the specific details of steps Yahoo! has taken. We will continue to work with Yahoo! to help them resolve this issue.
Cisco IronPort has been actively updating rules numerous times a day against spam received from Yahoo! This should help against some of the missed spam issue if the customers were to take steps to accept all emails from Yahoo! and run IronPort AntiSpam on them. We request that customers continue to submit spam messages to email@example.com or use one of our plugins (MS Outlook or Lotus Notes) to report these missed spam emails.
I'm very interested in this as (a) we do have a small but ongoing spam issue from all of the major freemailers including Yahoo, and (b) the posting specifically names an organisation. I didn't know if this was a major taboo on the forum as in some cases it can invite all sorts of legal problems. If there are any general guidelines for posting that I've missed then please point them out.
Regards freemailers in general and the latest Yahoo issue in particular, is the problem mainly sweatshop spam or are the mails being automatically generated? Do they pass through the organisation's "official" MTA (if there is one) or are they simply emerging from some assigned IP that happens to be port 25-enabled?
I ask from the point of view of doing something via header parsing if possible, though I admit that that's hardly following the "customer hands-off" ethos of appliance ownership.
In either case thanks for the heads-up; I'm off to check my logs now.