Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Decode-ForeFront.ps1
- # v0.05
- # u/fosf0r
- # 2021/08/23
- #
- # https://www.sparkpost.com/blog/mircosoft-scl-bcl/
- # https://docs.microsoft.com/en-us/Exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019
- param (
- [Parameter(Mandatory = $True)][string]$EMLfile
- )
- # config:
- $ForefrontHeaderName = 'X-Forefront-Antispam-Report'
- # begin
- if ($null -ne $EMLfile -and '' -ne $EMLfile) {
- if (Test-Path -Ea SilentlyContinue $EMLfile) {
- $EMLcontents = Get-Content $EMLfile -Raw
- }
- }
- if ($null -ne $EMLcontents -and '' -ne $EMLcontents) {
- # normalize
- $EMLcontents = $EMLcontents.Replace("`n ",' ')
- # split
- $forefrontresults = ($EMLcontents | Select-String -Pattern ($ForefrontHeaderName + '.*')).Matches.Value.Split(' ')[1].Split(';')
- # tokenize/explode
- $ForefrontExploded = @{}
- foreach ($item in $forefrontresults) {
- $ForefrontExploded += @{ $item.Split(':')[0] = $item.Split(':')[1] }
- }
- # SCL spam confidence level
- 'SCL: ' + $ForefrontExploded.SCL
- # SFV spam filter verbose explanation
- switch ($forefrontexploded.SFV) {
- 'NSPM' {
- 'SFV:NSPM The message was marked as non-spam by the content filter and was delivered to the intended recipients.'
- }
- 'SPM' {
- 'SFV:SPM The message was marked as spam by the content filter.'
- }
- 'SKS' {
- 'SFV:SKS The message was marked as SPAM prior to being processed by the content filter. This includes messages where the message matched a mail flow rule (also known as a transport rule) to automatically mark it as spam and bypass all additional filtering.'
- }
- 'SKA' {
- 'SFV:SKA The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list.'
- }
- 'SKB' {
- 'SFV:SKB The message was marked as spam because it matched a block list in the spam filter policy, such as the Sender block list.'
- }
- 'SKN' {
- 'SFV:SKN The message was marked as non-spam prior to being processed by the content filter. This includes messages where the message matched a mail flow rule to automatically mark it as non-spam and bypass all additional filtering.'
- }
- 'SKI' {
- 'SFV:SKI Similar to SKN, but the message skipped filtering for another reason such as being intra-organizational email within a tenant.'
- }
- 'SKQ' {
- 'SFV:SKQ The message was released from the quarantine and was sent to the intended recipients.'
- }
- 'SFE' {
- 'SFV:SFE Filtering was skipped and the message was forced through because it was sent from an address on an individual''s safe sender list.'
- }
- 'BLK' {
- 'SFV:BLK Filtering was skipped and the message was blocked because it was sent from an address on an individual''s blocked sender list.'
- }
- }
- # CAT category explanation
- switch ($forefrontexploded.CAT) {
- 'MALW' {
- 'CAT:MALW Malware'
- }
- 'PHSH' {
- 'CAT:PHSH Phishing'
- }
- 'HSPM' {
- 'CAT:HSPM High confidence spam'
- }
- 'SPOOF' {
- 'CAT:SPOOF Spoofing'
- }
- 'SPM' {
- 'CAT:SPM Spam'
- }
- 'BULK' {
- 'CAT:BULK Bulk'
- }
- 'DIMP' {
- 'CAT:DIMP Domain Impersonation'
- }
- 'UIMP' {
- 'CAT:UIMP User Impersonation'
- }
- 'NONE' {
- 'CAT:NONE No category'
- }
- }
- ''
- # HELO: hostname
- 'H: ' + $ForefrontExploded.H
- # DNS reverse lookup result (hopefully matches HELO hostname)
- 'PTR: ' + $ForefrontExploded.PTR
- # test match
- if ($forefrontexploded.H -eq $forefrontexploded.PTR) {
- 'Good: PTR and H match.'
- } else {
- '! PTR and H DO NOT match !'
- }
- # IPV: IP address veracity
- switch ($forefrontexploded.IPV) {
- 'CAL' {
- 'IPV:CAL The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.'
- }
- 'NLI' {
- "IPV:NLI The IP address $($forefrontexploded.CIP) was not listed on any IP reputation list."
- }
- }
- ''
- # Country
- 'CTRY: ' + $ForefrontExploded.CTRY
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
