AutoSpamEmailScan
5.1.3
This PowerShell script can monitor the mailbox for any unread emails, grab the URLs and attachments from the emails and submit to virustotal.com, urlscan.io, Google safe browsing and OPSWAT. Script also can extract URLs from a
This PowerShell script can monitor the mailbox for any unread emails, grab the URLs and attachments from the emails and submit to virustotal.com, urlscan.io, Google safe browsing and OPSWAT. Script also can extract URLs from a pdf file.
After the scan finished, script can generate HTML format scan report and auto reply to the senders.
Script can be run once or loop interval, if in the init.conf is 0 means script will only run one time else the number is the loop interval seconds.
Visit https://github.com/banhao/AutoSpamEmailScan to get the init.conf and Bytescout.PDF2HTML.dll, this dll file is used to convert PDF to HTML.
Please check the License before you download this script, if you don't agree with the License please don't download and use this script. https://github.com/banhao/AutoSpamEmailScan/blob/master/LICENSE
The Password is base64 encoded and saved in init.conf, following is the example about how to genertae the encoded password:
"JkPgsiG9Zh0XCvk" is the password.
"yp9P7" is the salt. make sure salt is the unique string that can't have the same pattern in the password.
Insert the salt into password where ever you want:
yp9P7JkPgsiG9Zh0XCvk, JkPgsiG9Zh0XCvkyp9P7, JkPgyp9P7siG9Zh0XCvk, JkPgsiG9Zh0XCyp9P7vk, ...... all these are legitimate.
Generate the base64 encoded string:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("yp9P7JkPgsiG9Zh0XCvk"))
eQBwADkAUAA3AEoAawBQAGcAcwBpAEcAOQBaAGgAMABYAEMAdgBrAA==
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("JkPgsiG9Zh0XCvkyp9P7"))
SgBrAFAAZwBzAGkARwA5AFoAaAAwAFgAQwB2AGsAeQBwADkAUAA3AA==
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("JkPgyp9P7siG9Zh0XCvk"))
SgBrAFAAZwB5AHAAOQBQADcAcwBpAEcAOQBaAGgAMABYAEMAdgBrAA==
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("JkPgsiG9Zh0XCyp9P7vk"))
SgBrAFAAZwBzAGkARwA5AFoAaAAwAFgAQwB5AHAAOQBQADcAdgBrAA==
Save the encoded string in the init.conf file.
Decode the encoded string:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("eQBwADkAUAA3AEoAawBQAGcAcwBpAEcAOQBaAGgAMABYAEMAdgBrAA=="))
yp9P7JkPgsiG9Zh0XCvk
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("SgBrAFAAZwBzAGkARwA5AFoAaAAwAFgAQwB2AGsAeQBwADkAUAA3AA=="))
JkPgsiG9Zh0XCvkyp9P7
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("SgBrAFAAZwB5AHAAOQBQADcAcwBpAEcAOQBaAGgAMABYAEMAdgBrAA=="))
JkPgyp9P7siG9Zh0XCvk
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("SgBrAFAAZwBzAGkARwA5AFoAaAAwAFgAQwB5AHAAOQBQADcAdgBrAA=="))
JkPgsiG9Zh0XCyp9P7vk
Even someone can get the encoded string from the init.conf and use base64 to decode it, but they don't know the salt, so they still can't get the password directly.
This PowerShell passed the test in PowerShell version 5.1.16299.1146. Can not run on Powershell version 4 and below.
PS H:\>host
Check the PowerShell version.
Installation Options
Owners
Package Details
Author(s)
- HAO BAN/banhao@gmail.com
Functions
Google-Safe-Browsing Submit-URLSCAN Submit-URL-Virustotal Submit-FILE-OPSWAT FromEmailAttachment ConvertLogToHTML ExtractURLFromPDFHTML CheckRedirectedURL MAIN
Dependencies
This script has no dependencies.
Release Notes
Creation Date: <06/10/2022>
Purpose/Change: optimize some outputs format.
Creation Date: <05/31/2022>
Purpose/Change: Rename some variables.
Creation Date: <05/30/2022>
Purpose/Change: Optimize the module "CheckRedirectedURL", skip scan the URL if the URL contain file types in variable "$EXTENSIONARRAY"
Creation Date: <05/26/2022>
Purpose/Change: Add "RedirectURL.py" to replace the powershell script.
Add "pdf2url.py" to replace the "Bytescout.PDF2HTML.dll"
Add "Submit_FILE_Virustotal.py" to replace the "Submit-FILE-Virustotal" and call VirusTotal V3 API
Creation Date: <05/09/2022>
Purpose/Change: Add "selenium_simulator.py" to open HTML file on local and get screenshot.
Creation Date: <05/03/2022>
Purpose/Change: optimize the method to extract email address from the mail body.
Creation Date: <04/28/2022>
Purpose/Change: Instead the "Cisco SecureX Investigation Module" with the "secureX.ps1"
Add "MineMeld_Indicator.ps1"
Add ESA_Spam_Block.ps1
Remove "checkphish.ai" module
Creation Date: <09/20/2021>
Purpose/Change: Fixed Function "ESASpamQuarantine" a small bug.
Creation Date: <07/08/2021>
Purpose/Change: add Cisco SecureX Investigation Module
Creation Date: <05/26/2021>
Purpose/Change: Fixed some bugs
Creation Date: <05/19/2021>
Purpose/Change: Add "BlockedMailSelfRelease" function. If you donnot have ESA/SMA or donott want to use ESA/SMA API to block SPAM sender or release blocked emails from quarantine then please setup "ENABLEESASPAMBL" and "ENABLESELFRELEASE" as "False" in init.conf
Creation Date: <05/13/2021>
Purpose/Change: Add "slblconfig EXPORT" after update the Cisco Email Security Appliance Spam Quarantine Blacklist.(related to Cisco Bug CSCvx12488)
ssh PRIVATE KEY must be save in "c:\users\<username>\.ssh\" folder. ".ssh" folder must disable "inheritance" and manually grant "local\SYSTEM" group, "local\Administrators" group "full control" privilege, and current user "read only" privilege.
Creation Date: <04/05/2021>
Purpose/Change: Optimize function CheckRedirectedURL{}
Creation Date: <03/25/2021>
Purpose/Change: Update function CheckRedirectedURL{}
Creation Date: <03/19/2021>
Purpose/Change: Add a new module for Cisco Email Security Appliance Spam Quarantine Blacklist.
Creation Date: <11/10/2020>
Purpose/Change: Move emails to sub-folder when after the checking.
Creation Date: <04/03/2020>
Purpose/Change: Optimize the parameters setting.
Creation Date: <04/02/2020>
Purpose/Change: Add new feature to let the use input the credential just chose "N" when prompt "salt is empty". Add SystemException, fix the broken of the system error.
Creation Date: <03/10/2020>
Purpose/Change: Add a new Function CheckRedirectedURL, this feature is used to detect URLs that try to escape the scan.
Change "function Submit-URL-Virustotal" to use the VirusTotal API V3
Creation Date: <02/11/2020>
Purpose/Change: Add checkphish.ai API limit error
Creation Date: <01/22/2020>
Purpose/Change: Add a new Function checkphish.ai
Creation Date: <10/21/2019>
Purpose/Change: One funcation name was changed but calls the old name in the program. Update the Bytescout.PDF2HTML.dll to version 10.6.0.3667. It's still a trial version and will expire after 90 days. If you see this error:
--------------------------------------------------------------------------------------
"new-object : Exception calling ".ctor" with "0" argument(s): "Trial period expired."
+ $extractor = new-object Bytescout.PDF2HTML.HTMLExtractor
--------------------------------------------------------------------------------------
That means the DLL file has been expired.
FileList
- AutoSpamEmailScan.nuspec
- AutoSpamEmailScan.ps1
Version History
Version | Downloads | Last updated |
---|---|---|
5.2.0 | 121 | 11/8/2022 |
5.1.6 | 109 | 9/21/2022 |
5.1.5 | 116 | 9/8/2022 |
5.1.4 | 137 | 8/17/2022 |
5.1.3 (current version) | 179 | 6/10/2022 |
5.1.2 | 175 | 5/31/2022 |
5.1.1 | 175 | 5/30/2022 |
5.1.0 | 176 | 5/26/2022 |
5.0.1 | 190 | 5/3/2022 |
5.0.0 | 190 | 4/29/2022 |
4.6.1 | 224 | 9/20/2021 |
4.6.0 | 208 | 7/9/2021 |
4.5.1 | 214 | 5/26/2021 |
4.5.0 | 204 | 5/19/2021 |
4.4.2 | 212 | 4/5/2021 |
4.4.1 | 208 | 3/26/2021 |
4.4.0 | 206 | 3/22/2021 |
4.3.0 | 219 | 11/13/2020 |
4.2.2 | 239 | 4/3/2020 |
4.2.1 | 213 | 4/3/2020 |
4.2.0 | 219 | 3/10/2020 |
4.1.2 | 210 | 2/11/2020 |
4.1.1 | 209 | 2/11/2020 |
4.1.0 | 214 | 1/22/2020 |
4.0.2 | 220 | 10/21/2019 |
4.0.1 | 207 | 10/18/2019 |
4.0 | 209 | 10/8/2019 |
3.62 | 210 | 10/3/2019 |
3.61 | 223 | 9/26/2019 |
3.6 | 211 | 9/17/2019 |
3.5 | 214 | 9/5/2019 |
3.4 | 212 | 8/23/2019 |
3.3 | 217 | 8/20/2019 |