MailDetailSpam report
The MailDetailSpam REST URI provides details about the processing steps taken on email messages identified as containing spam while the message was being processed. The start and end date/time of the report can be specified in the request.
Applies to: Office 365
In this article
REST URIs
Fields
Remarks
Examples
Input parameters and report output columns
Compatibility
Corresponding PowerShell cmdlets
Permissions
Data granularity, persistence, and availability
REST URIs
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailSpam[?ODATA options]
Fields
The following fields can be specified in $select, $filter and $orderby ODATA2 query options. All fields are returned if no $select option is provided.
Name |
WCF Type* |
EDM Type* |
[In/Out]** Description |
Example values |
Added in service version |
|---|---|---|---|---|---|
Action |
string |
None specified |
[In/Out] Description of the action taken on the message, if any. This field may be blank, or null if no action was performed. For information about valid Action values, see MailFilterList report. |
SetSpamConfidenceLevel, RejectMessage |
2013-V1 |
Date |
System.DateTime |
Edm.DateTime |
[In/Out] The date and time the message was detected as being spam. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
Direction |
string |
None specified |
[In/Out] Specifies whether the mail was being sent into (Inbound) or out from (Outbound) the organization when it was detected as being spam. |
Values are restricted to Inbound and Outbound. |
2013-V1 |
Domain |
string |
Not specified |
[In/Out] The fully qualified domain name that was processing the email. |
example.onmicrosoft.com |
2013-V1 |
EndDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
EventType |
string |
None specified |
[In/Out] The type of scanning event logged. For information about valid EventType values, see MailFilterList report. |
SpamContentFiltered, SpamIPBlock |
2013-V1 |
MessageId |
string |
None specified |
[In/Out] The Internet MessageID header of the message, if one was supplied. This value can also be explicitly null. |
If no ID was provided for the message, the report data will show <d:MessageId m:null="true" /> for Atom, and "MessageId":null for JSON. |
2013-V1 |
MessageSize |
int |
Edm.Int64 |
[In/Out] The message size in bytes. |
130840 |
2013-V1 |
MessageTraceId |
System.Guid |
Edm.Guid |
[In/Out] An identifier used to get the detailed message transfer trace information. The internal format of the MessageTraceId field should be considered opaque, as the format may change. For more information about message tracing, see MessageTrace report. |
ae4ad8f6-7613-411c-e67e-08cfc740629 |
2013-V1 |
Organization |
string |
None specified |
[In/Out] The fully qualified domain name that was processing the email message. |
example.onmicrosoft.com |
2013-V1 |
RecipientAddress |
string |
None specified |
[In/Out] The SMTP email address of the user that the message was addressed to. |
userone@example.onmicrosoft.com |
2013-V1 |
SenderAddress |
string |
None specified |
[In/Out] The SMTP email address of the user the message was purportedly from. Because sender addresses are commonly spoofed in spam email messages, they are not considered completely reliable. |
usertwo@example.onmicrosoft.com |
2013-V1 |
StartDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify and EndDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
Subject |
string |
None specified |
[In/Out] The subject line of the message, if one was present on the message. |
Free M0ney WoN! |
2013-V1 |
*WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communications Framework (WCF) Service Reference in Visual Studio. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.
**[In/Out]: see the Input parameters and report output columns section.
Remarks
Each entry in the report includes several fields of metadata. For more information, see Common metadata returned by the Office 365 Reporting web service.
The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.
Using StartDate and EndDate
The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.
This can be especially helpful, for example, when recording email-based denial-of-service attacks on an hourly basis. When using these fields, you must include both StartDate and EndDate fields in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks. The Examples section that follows shows how to use the StartDate and EndDate fields.
Examples
The following example shows how to retrieve a MailDetailSpam report that lists the first three spam message actions ($top=3) during the period from 5AM to 6AM on January 27th, 2013 (the $filter= option). It returns only the Date, Subject, and EventType fields (using $select=), and the entries are sorted in reverse chronological order ($orderby). When using this query style to restrict the report period, you must include both StartDate and EndDate fields. If you use only one, the request will fail. If you leave both off, the reporting period will default to the previous two weeks. For clarity, line-breaks were added to the request, and some Atom XML results were removed from the results.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailSpam?
$select=Date,Subject,EventType&
$filter=StartDate%20eq%20datetime'2013-01-27T05:00:00'%20and%20EndDate%20eq%20datetime'2013-01-27T06:00:00'%20&
$top=3&
$orderby=Date%20desc&
$format=Atom
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/"
xmlns="http://www.w3.org/2005/Atom"
xmlns:d="https://schemas.microsoft.com/ado/2007/08/dataservices"
xmlns:m="https://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<id>https://example.onmicrosoft.com/ecp/reportingwebservice/reporting.svc/MailDetailSpam</id>
<title type="text">MailDetailSpam</title>
<updated>2013-01-31T08:02:50Z</updated>
<link rel="self" title="MailDetailSpam" href="MailDetailSpam" />
<entry>
<id>https://example.onmicrosoft.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(0)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(0)" />
<title />
<updated>2013-01-31T08:02:50Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-27T05:17:43.9408799</d:Date>
<d:Subject>Space Coast Golfers: Your Weekend Tee Times Have Arrived</d:Subject>
<d:EventType>SpamContentFiltered</d:EventType>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(1)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(1)" />
<title />
<updated>2013-01-31T08:02:50Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-27T05:18:31.7775631</d:Date>
<d:Subject>Spain Golfers: Your Weekend Tee Times Have Arrived</d:Subject>
<d:EventType>SpamContentFiltered</d:EventType>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(2)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(2)" />
<title />
<updated>2013-01-31T08:02:50Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-27T05:19:43.2337479</d:Date>
<d:Subject>Ireland Golfers: Your Weekend Tee Times Have Arrived</d:Subject>
<d:EventType>SpamContentFiltered</d:EventType>
</m:properties>
</content>
</entry>
</feed>
The following shows the same reporting results in JSON format.
{
"d":
[
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(0)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(0)",
"type":"TenantReporting.MailDetailSpamReport"
},
"Date":"\/Date(1359263863940)\/",
"Subject":"Space Coast Golfers: Your Weekend Tee Times Have Arrived",
"EventType":"SpamContentFiltered"
},
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(1)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(1)",
"type":"TenantReporting.MailDetailSpamReport"
},
"Date":"\/Date(1359263911777)\/",
"Subject":"Spain Golfers: Your Weekend Tee Times Have Arrived",
"EventType":"SpamContentFiltered"
},
{
"__metadata":
{
"id":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(2)",
"uri":"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(2)",
"type":"TenantReporting.MailDetailSpamReport"
},
"Date":"\/Date(1359263983233)\/",
"Subject":"Ireland Golfers: Your Weekend Tee Times Have Arrived",
"EventType":"SpamContentFiltered"
}
]
}
The following report lists the subject lines and dates of all instances of spam messages where the EventType is reported as 'SpamContentFiltered', in Atom format. For clarity, line-breaks were added to the request, and some Atom XML results were removed from the results.
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailSpam?
$select=Date,Subject&
$filter=EventType%20eq%20'SpamContentFiltered'&
$format=Atom
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/"
xmlns="http://www.w3.org/2005/Atom"
xmlns:d="https://schemas.microsoft.com/ado/2007/08/dataservices"
xmlns:m="https://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailSpam</id>
<title type="text">MailDetailSpam</title>
<updated>2013-01-31T08:19:24Z</updated>
<link rel="self" title="MailDetailSpam" href="MailDetailSpam" />
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(0)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(0)" />
<title />
<updated>2013-01-31T08:19:24Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-23T05:07:48.4767902</d:Date>
<d:Subject>Take a Swing at Seaview Golf Resort - The Bay Course</d:Subject>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(1)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(1)" />
<title />
<updated>2013-01-31T08:19:24Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-23T05:16:47.4695631</d:Date>
<d:Subject>Take a Swing at Highland Park Golf Club</d:Subject>
</m:properties>
</content>
</entry>
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(2)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(2)" />
<title />
<updated>2013-01-31T08:19:24Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-23T05:17:26.039398</d:Date>
<d:Subject>Take a Swing at El Camaleon Mayakoba</d:Subject>
</m:properties>
</content>
</entry>
[[ entries removed ]]
<entry>
<id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailSpam(102)</id>
<category term="TenantReporting.MailDetailSpamReport"
scheme="https://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="MailDetailSpamReport" href="MailDetailSpam(102)" />
<title />
<updated>2013-01-31T08:19:24Z</updated>
<author>
<name />
</author>
<content type="application/xml">
<m:properties>
<d:Date m:type="Edm.DateTime">2013-01-31T06:28:34.2893369</d:Date>
<d:Subject>Weekend Tee Times for the Italy Area</d:Subject>
</m:properties>
</content>
</entry>
</feed>
Input parameters and report output columns
The [In/Out] indicators in the fields table have the following meanings:
Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby= and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included the $select= option, and they will appear in the report entries, but they will contain no useful data.
Fields marked [In/Out] in the fields table can be used in both column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, they will appear in the report entries, and will contain useful data when it is available.
Compatibility
The MailDetailSpam report was introduced in Office 365 service version 2013-V1. For more information about versioning, see Versioning in the Office 365 Reporting web service.
Corresponding PowerShell cmdlets
The MailDetailSpam report returns the same information as the Get-MailDetailSpamReport Windows PowerShell cmdlet.
Permissions
The account you access the reports from must have administrative permissions in that Office 365 organization. If the account can view this report in the Office 365 control panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients Role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.
Data granularity, persistence, and availability
Information available in this report contains the exact date and time for each event. You can use any feasible time-period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email message.
The information for this report is available for a period of 7 days, or until the subscription is cancelled.
Events may be delayed by up to 24 hours before they appear in a report.