Nov 24 2017 04:54 AM
Good day all and happy Friday!
I see that spam reports has become much more informative, but this is the thing:
When I'm trying to hunt around about spam report, I have only option to choose Content filtered report. Only blue line with this report can be selected (clickable). However I see SMTP blocked, IP blocked, Directory blocked in the right of my report but where are all these data? In real time report (by hitting the blue line) or even after this report was scheduled and sent on my email I've only content filtered data in Event type ID column.
How can I quickly find these 1500 blocked IP if I have to review it or provide this information to the security officer? I have only content filter in all of my tenants, and no columns with SMTP blocked or IP blocked senders. Please help.
PS. I hope that Vasil M. will find my question interesting ^^_
Nov 24 2017 06:13 AM
Hello Dima Razbornov,
I think it seems to be a bug. You can get that missing information easily by executing 'Get-MailDetailSpamReport' PowerShell cmdlet.
If you are not interested in playing with PowerShell then you can get the help from 3rd party tools. AdminDroid is one such tool which can help you with your requirement. You can find the demo of spam report and the mail traffic dashboard.
Nov 24 2017 10:57 AM
SolutionYou can't, most of these are blocked even before hitting the Exchange servers, so there is no information available in any report. Third party tools included.
If you need "official" answer, the details are here: https://technet.microsoft.com/en-us/library/dn500744(v=exchg.150).aspx
Nov 25 2017 07:59 AM
Admin droid are cool, but they don't provide more information than original Office 365 reports. I've tried them before asking my question.
Get-MailDetailSpamReport provides the same Event type, so there is no magic there if you look on it by yourself.
Event Type : SpamContentFiltered
Dec 02 2017 02:32 PM
That seems like a shortcoming. If the system knows enough to show you on a report that 1689 messages were "IP blocked" it should be able to give details on each of those messages explaining why. The data is obviously logged somewhere. It needs to be exposed to admins. As it stands we have no visibility into the details of the vast majority of blocked messages.
Dec 03 2017 10:33 AM
Well, do you really want to have a list of all the gazillion messages from that random well-known spammer? Even if you have the list, there's not much you can do with it - these messages never reach the service, you cannot "whitelist" them or anything.
But you can always try to convince Microsoft, that's why we have UserVoice (or go directly to your TAM).
Dec 03 2017 10:43 AM
We can easily create our own white list and override default behavior using this functionality:
Apr 19 2019 04:11 AM
Seems this problem has been last for more than 1 year but not be able to resolved...
First of all, exchange online formally discouraged tenants using external secure mail gateway as the first line of defend of inbound MX. This screwed me of analyzing inbound IP already.
Ok I can ignore that. But then the spam IP blocking action does not have a proper report. How can I tell whether the inbound IP blocking was a correct or not?
Can Microsoft grant tenants the options of enabling/disabling the spam IP blocking action?
Nov 24 2017 10:57 AM
SolutionYou can't, most of these are blocked even before hitting the Exchange servers, so there is no information available in any report. Third party tools included.
If you need "official" answer, the details are here: https://technet.microsoft.com/en-us/library/dn500744(v=exchg.150).aspx