internal/functions/AI/Invoke-EXRProcessAntiSPAMHeaders.ps1
|
function Invoke-EXRProcessAntiSPAMHeaders { [CmdletBinding()] param ( [Parameter(Position = 1, Mandatory = $false)] [psobject] $Item ) process { if ([bool]($Item.PSobject.Properties.name -match "IndexedInternetMessageHeaders")) { if($Item.IndexedInternetMessageHeaders.ContainsKey("Authentication-Results")){ $AuthResultsText = $Item.IndexedInternetMessageHeaders["Authentication-Results"] $SPFResults = [regex]::Match($AuthResultsText,("spf=(.*?)dkim=")) if($SPFResults.Groups.Count -gt 0){ $SPF = $SPFResults.Groups[1].Value } $DKIMResults = [regex]::Match($AuthResultsText,("dkim=(.*?)dmarc=")) if($DKIMResults.Groups.Count -gt 0){ $DKIM = $DKIMResults.Groups[1].Value } $DMARCResults = [regex]::Match($AuthResultsText,("dmarc=(.*?)compauth=")) if($DMARCResults.Groups.Count -gt 0){ $DMARC = $DMARCResults.Groups[1].Value } $CompAuthResults = [regex]::Match($AuthResultsText,("compauth=(.*)")) if($CompAuthResults.Groups.Count -gt 0){ $CompAuth = $CompAuthResults.Groups[1].Value } Add-Member -InputObject $Item -NotePropertyName "SPF" -NotePropertyValue $SPF -Force Add-Member -InputObject $Item -NotePropertyName "DKIM" -NotePropertyValue $DKIM -Force Add-Member -InputObject $Item -NotePropertyName "DMARC" -NotePropertyValue $DMARC -Force Add-Member -InputObject $Item -NotePropertyName "CompAuth" -NotePropertyValue $CompAuth -Force } if($Item.IndexedInternetMessageHeaders.ContainsKey("Authentication-Results-Original")){ $AuthResultsText = $Item.IndexedInternetMessageHeaders["Authentication-Results-Original"] $SPFResults = [regex]::Match($AuthResultsText,("spf=(.*?)\;")) if($SPFResults.Groups.Count -gt 0){ $SPF = $SPFResults.Groups[1].Value } $DKIMResults = [regex]::Match($AuthResultsText,("dkim=(.*?)\;")) if($DKIMResults.Groups.Count -gt 0){ $DKIM = $DKIMResults.Groups[1].Value } $DMARCResults = [regex]::Match($AuthResultsText,("dmarc=(.*?)\;")) if($DMARCResults.Groups.Count -gt 0){ $DMARC = $DMARCResults.Groups[1].Value } $CompAuthResults = [regex]::Match($AuthResultsText,("compauth=(.*)")) if($CompAuthResults.Groups.Count -gt 0){ $CompAuth = $CompAuthResults.Groups[1].Value } Add-Member -InputObject $Item -NotePropertyName "Original-SPF" -NotePropertyValue $SPF -Force Add-Member -InputObject $Item -NotePropertyName "Original-DKIM" -NotePropertyValue $DKIM -Force Add-Member -InputObject $Item -NotePropertyName "Original-DMARC" -NotePropertyValue $DMARC -Force Add-Member -InputObject $Item -NotePropertyName "Original-CompAuth" -NotePropertyValue $CompAuth -Force } if ($Item.IndexedInternetMessageHeaders.ContainsKey("X-Microsoft-Antispam")){ $ASReport = $Item.IndexedInternetMessageHeaders["X-Microsoft-Antispam"] $PCLResults = [regex]::Match($ASReport,("PCL\:(.*?)\;")) if($PCLResults.Groups.Count -gt 0){ $PCL = $PCLResults.Groups[1].Value } $BCLResults = [regex]::Match($ASReport,("BCL\:(.*?)\;")) if($BCLResults.Groups.Count -gt 0){ $BCL = $BCLResults.Groups[1].Value } Add-Member -InputObject $Item -NotePropertyName "PCL" -NotePropertyValue $PCL -Force Add-Member -InputObject $Item -NotePropertyName "BCL" -NotePropertyValue $BCL -Force } if ($Item.IndexedInternetMessageHeaders.ContainsKey("X-Forefront-Antispam-Report")){ $ASReport = $Item.IndexedInternetMessageHeaders["X-Forefront-Antispam-Report"] $CTRYResults = [regex]::Match($ASReport,("CTRY\:(.*?)\;")) if($CTRYResults.Groups.Count -gt 0){ $CTRY = $CTRYResults.Groups[1].Value } $SFVResults = [regex]::Match($ASReport,("SFV\:(.*?)\;")) if($SFVResults.Groups.Count -gt 0){ $SFV = $SFVResults.Groups[1].Value } $SRVResults = [regex]::Match($ASReport,("SRV\:(.*?)\;")) if($SRVResults.Groups.Count -gt 0){ $SRV = $SRVResults.Groups[1].Value } $PTRResults = [regex]::Match($ASReport,("PTR\:(.*?)\;")) if($PTRResults.Groups.Count -gt 0){ $PTR = $PTRResults.Groups[1].Value } $CIPResults = [regex]::Match($ASReport,("CIP\:(.*?)\;")) if($CIPResults.Groups.Count -gt 0){ $CIP = $CIPResults.Groups[1].Value } $IPVResults = [regex]::Match($ASReport,("IPV\:(.*?)\;")) if($IPVResults.Groups.Count -gt 0){ $IPV = $IPVResults.Groups[1].Value } Add-Member -InputObject $Item -NotePropertyName "CTRY" -NotePropertyValue $CTRY -Force Add-Member -InputObject $Item -NotePropertyName "SFV" -NotePropertyValue $SFV -Force Add-Member -InputObject $Item -NotePropertyName "SRV" -NotePropertyValue $SRV -Force Add-Member -InputObject $Item -NotePropertyName "PTR" -NotePropertyValue $PTR -Force Add-Member -InputObject $Item -NotePropertyName "CIP" -NotePropertyValue $CIP -Force Add-Member -InputObject $Item -NotePropertyName "IPV" -NotePropertyValue $IPV -Force } if ($Item.IndexedInternetMessageHeaders.ContainsKey("X-MS-Exchange-Organization-SCL")){ Add-Member -InputObject $Item -NotePropertyName "SCL" -NotePropertyValue $Item.IndexedInternetMessageHeaders["X-MS-Exchange-Organization-SCL"] -Force } if ($Item.IndexedInternetMessageHeaders.ContainsKey("X-CustomSpam")){ Add-Member -InputObject $Item -NotePropertyName "ASF" -NotePropertyValue $Item.IndexedInternetMessageHeaders["X-CustomSpam"] -Force } } } } |