hi,
Has the total percentage of threat messages or the number of clean messages being delivered changed? If these numbers are consistent (especially the second one), it would seem that there is simply a shift from blocking these messages later at content scanning time, to connection time based on these IPs historically sending spam to your environment.
I noticed that you do not have any Symantec Global Bad Senders reputation verdicts. I would recommend turning this feature on to block even more spam at connection time - this will lead to increased spam detection, better performance and eliminate spam before it enters your messaging environment.
Hope that helps,
Amanda