SOLVED

Office 365 Spam detections Report

%3CLINGO-SUB%20id%3D%22lingo-sub-131046%22%20slang%3D%22en-US%22%3EOffice%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131046%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%20all%20and%20happy%20Friday!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20see%20that%20spam%20reports%20has%20become%20much%20more%20informative%2C%20but%20this%20is%20the%20thing%3A%3C%2FP%3E%0A%3CP%3EWhen%20I'm%20trying%20to%20hunt%20around%20about%20spam%20report%2C%20I%20have%20only%20option%20to%20choose%20Content%20filtered%20report.%20Only%20blue%20line%20with%20this%20report%20can%20be%20selected%20(clickable).%20However%20I%20see%20SMTP%20blocked%2C%20IP%20blocked%2C%20Directory%20blocked%20in%20the%20right%26nbsp%3Bof%20my%20report%20but%20where%20are%20all%20these%20data%3F%20In%20real%20time%20report%20(by%20hitting%20the%20blue%20line)%20or%20even%20after%20this%20report%26nbsp%3Bwas%20scheduled%20and%20sent%20on%20my%20email%20I've%20only%20content%20filtered%20data%20in%20Event%20type%20ID%20column.%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20quickly%20find%20these%201500%20blocked%20IP%20if%20I%20have%20to%20review%20it%20or%20provide%20this%20information%20to%20the%20security%20officer%3F%20I%20have%20only%20content%20filter%20in%20all%20of%20my%20tenants%2C%20and%20no%20columns%20with%20SMTP%20blocked%20or%20IP%20blocked%20senders.%20Please%20help.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20820px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F24668i6ED517AC3100EAB0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screenshot_13.png%22%20title%3D%22Screenshot_13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPS.%20I%20hope%20that%20Vasil%20M.%20will%20find%20my%20question%20interesting%20%5E%5E_%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-131046%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133589%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133589%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20can%20easily%20create%20our%20own%20white%20list%20and%20override%20default%20behavior%20using%20this%20functionality%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20655px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25035i70E01B6BC4932611%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screenshot_22.png%22%20title%3D%22Screenshot_22.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133586%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133586%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20do%20you%20really%20want%20to%20have%20a%20list%20of%20all%20the%20gazillion%20messages%20from%20that%20random%20well-known%20spammer%3F%20Even%20if%20you%20have%20the%20list%2C%20there's%20not%20much%20you%20can%20do%20with%20it%20-%20these%20messages%20never%20reach%20the%20service%2C%20you%20cannot%20%22whitelist%22%20them%20or%20anything.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20you%20can%20always%20try%20to%20convince%20Microsoft%2C%20that's%20why%20we%20have%20UserVoice%20(or%20go%20directly%20to%20your%20TAM).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-133489%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-133489%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20seems%20like%20a%20shortcoming.%20If%20the%20system%20knows%20enough%20to%20show%20you%20on%20a%20report%20that%201689%20messages%20were%20%22IP%20blocked%22%20it%20should%20be%20able%20to%20give%20details%20on%20each%20of%20those%20messages%20explaining%20why.%20The%20data%20is%20obviously%20logged%20somewhere.%20It%20needs%20to%20be%20exposed%20to%20admins.%20As%20it%20stands%20we%20have%20no%20visibility%20into%20the%20details%20of%20the%20vast%20majority%20of%20blocked%20messages.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20729px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25022iB3435DBC9A77E0B5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131241%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131241%22%20slang%3D%22en-US%22%3E%3CP%3EAdmin%20droid%20are%20cool%2C%20but%20they%20don't%20provide%20more%20information%20than%20original%20Office%20365%20reports.%20I've%20tried%20them%20before%20asking%20my%20question.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGet-MailDetailSpamReport%20provides%20the%20same%20Event%20type%2C%20so%20there%20is%20no%20magic%20there%20if%20you%20look%20on%20it%20by%20yourself.%3C%2FP%3E%0A%3CP%3EEvent%20Type%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20SpamContentFiltered%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131132%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131132%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can't%2C%20most%20of%20these%20are%20blocked%20even%20before%20hitting%20the%20Exchange%20servers%2C%20so%20there%20is%20no%20information%20available%20in%20any%20report.%20Third%20party%20tools%20included.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20%22official%22%20answer%2C%20the%20details%20are%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn500744(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn500744(v%3Dexchg.150).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131078%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131078%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Dima%20Razbornov%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20it%20seems%20to%20be%20a%20bug.%20You%20can%20get%20that%20missing%20information%20easily%20by%20executing%20'Get-MailDetailSpamReport'%20PowerShell%20cmdlet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20not%20interested%20in%20playing%20with%20PowerShell%26nbsp%3Bthen%20you%20can%20get%20the%20help%20from%203rd%20party%20tools.%20AdminDroid%20is%20one%20such%20tool%20which%20can%20help%20you%20with%20your%20requirement.%20You%20can%20find%20the%20demo%20of%20%3CA%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%2F%23%2Fexchange%2Freports%2F10303%2F1%2F20%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Espam%20report%3C%2FA%3E%20and%20the%20%3CA%20href%3D%22http%3A%2F%2Fdemo.admindroid.com%2F%23%2Fexchange%2Fdashboards%2Fmailboxtraffic%3Fduration%3DThisMonth%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Email%20traffic%20dashboard%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-474649%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Spam%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-474649%22%20slang%3D%22en-US%22%3E%3CP%3ESeems%20this%20problem%20has%20been%20last%20for%20more%20than%201%20year%20but%20not%20be%20able%20to%20resolved...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20of%20all%2C%20exchange%20online%20formally%20discouraged%20tenants%20using%20external%20secure%20mail%20gateway%20as%20the%20first%20line%20of%20defend%20of%20inbound%20MX.%26nbsp%3B%20This%20screwed%20me%20of%20analyzing%20inbound%20IP%20already.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOk%20I%20can%20ignore%20that.%26nbsp%3B%20But%20then%20the%20spam%20IP%20blocking%20action%20does%20not%20have%20a%20proper%20report.%26nbsp%3B%20How%20can%20I%20tell%20whether%20the%20inbound%20IP%20blocking%20was%20a%20correct%20or%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20Microsoft%20grant%20tenants%20the%20options%20of%20enabling%2Fdisabling%20the%20spam%20IP%20blocking%20action%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Good day all and happy Friday!

 

I see that spam reports has become much more informative, but this is the thing:

When I'm trying to hunt around about spam report, I have only option to choose Content filtered report. Only blue line with this report can be selected (clickable). However I see SMTP blocked, IP blocked, Directory blocked in the right of my report but where are all these data? In real time report (by hitting the blue line) or even after this report was scheduled and sent on my email I've only content filtered data in Event type ID column.

How can I quickly find these 1500 blocked IP if I have to review it or provide this information to the security officer? I have only content filter in all of my tenants, and no columns with SMTP blocked or IP blocked senders. Please help.

Screenshot_13.png

 

 

PS. I hope that Vasil M. will find my question interesting ^^_

7 Replies
Highlighted

Hello Dima Razbornov,

 

I think it seems to be a bug. You can get that missing information easily by executing 'Get-MailDetailSpamReport' PowerShell cmdlet.

 

If you are not interested in playing with PowerShell then you can get the help from 3rd party tools. AdminDroid is one such tool which can help you with your requirement. You can find the demo of spam report and the mail traffic dashboard.

Highlighted
Best Response confirmed by Dima Razbornov (New Contributor)
Solution

You can't, most of these are blocked even before hitting the Exchange servers, so there is no information available in any report. Third party tools included.

 

If you need "official" answer, the details are here: https://technet.microsoft.com/en-us/library/dn500744(v=exchg.150).aspx

Highlighted

Admin droid are cool, but they don't provide more information than original Office 365 reports. I've tried them before asking my question.  

Get-MailDetailSpamReport provides the same Event type, so there is no magic there if you look on it by yourself.

Event Type        : SpamContentFiltered

Highlighted

That seems like a shortcoming. If the system knows enough to show you on a report that 1689 messages were "IP blocked" it should be able to give details on each of those messages explaining why. The data is obviously logged somewhere. It needs to be exposed to admins. As it stands we have no visibility into the details of the vast majority of blocked messages. 

 

Capture.PNG

 

Highlighted

Well, do you really want to have a list of all the gazillion messages from that random well-known spammer? Even if you have the list, there's not much you can do with it - these messages never reach the service, you cannot "whitelist" them or anything.

 

But you can always try to convince Microsoft, that's why we have UserVoice (or go directly to your TAM).

Highlighted

We can easily create our own white list and override default behavior using this functionality:

Screenshot_22.png

Highlighted

Seems this problem has been last for more than 1 year but not be able to resolved...

 

First of all, exchange online formally discouraged tenants using external secure mail gateway as the first line of defend of inbound MX.  This screwed me of analyzing inbound IP already.

 

Ok I can ignore that.  But then the spam IP blocking action does not have a proper report.  How can I tell whether the inbound IP blocking was a correct or not?

 

Can Microsoft grant tenants the options of enabling/disabling the spam IP blocking action?