Prevenir los NDR’s

# Get the date and time for 15 minutes ago. This will be the starting point to search the transport logs 
$strDate = Get-Date
$strStartFrom = $strDate - "00:15:00"
# Get all the users who forwarded non-delivered messages to external users in the last 15 minutes. Group them so we can analyze the total number of e-mails sent
$strNDRs = Get-TransportServer | Get-MessageTrackingLog -ResultSize Unlimited -Start $strStartFrom -EventId SEND | ? {($_.MessageSubject -match "FW: There was an error sending your mail") -or ($_.MessageSubject -match "FW: Mail delivery failed") -or ($_.MessageSubject -match "FW: failure notice")} | Group Sender
# For each sender, check if they sent more than 25 e-mails
ForEach ($strNDR in $strNDRs)
    # If they sent more than 25 e-mails (in the last 15 minutes) create the transport rule and send an e-mail to the administrator
    If ($strNDR.Count -ge 25)
        # Create the Transport Rule
        # For every e-mail sent by that user
        $condition1 = Get-TransportRulePredicate From
        $condition1.Addresses = @(Get-Mailbox $strNDR.Name)
        # only when the e-mail is going Outside the organization
        $condition2 = Get-TransportRulePredicate SentToScope
        $condition2.Scope = @("NotInOrganization")
        # and only when the subject contains any of these phrases
        $condition3 = Get-TransportRulePredicate SubjectContains
        $condition3.Words = @("FW: There was an error sending your mail", "FW: Mail delivery failed", "FW: failure notice")
        # Redirect the FW e-mail to the Quarantine NDRs mailbox
        $action = Get-TransportRuleAction RedirectMessage
        $action.Addresses = @(Get-Mailbox quarantine)
        # Get the user's alias from the e-mail address to create the transport rule with it
        $strName = [regex]::split($strNDR.Name, "@")[0]
        # Create the Transport Rule itself
        New-TransportRule -Name "Prevent NDRs Storm - $strName" -Comments "Prevent NDRs Storm by blocking specific sender after searching the Transport Logs for more than 25 e-mails forwarded by one single user" -Conditions @($condition1, $condition2, $condition3) -Actions @($action) -Enabled $True -Priority 0
        # Send the E-mail to the administrator
        $body = ""
        $body += "`n**********************************"
        $body += "`n*                                *"
        $body += "`n*  WARNING: NDR Storm Prevented  *"
        $body += "`n*                                *"
        $body += "`n**********************************"
        $body += "`n`nTransport Rule Created for ", $strNDR.Name
        $body += "`n`nFW e-mails: ", $strNDR.Count
        $FromAddress = "ndr.storm@xxxxx"
        $ToAddress = "n.mota@xxxxx"
        $MessageSubject = "NDRs Storm!"
        $SendingServer = "EXHUBCAS1"
        $SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $body
        $SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer


Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Cerrar sesión /  Cambiar )

Google photo

Estás comentando usando tu cuenta de Google. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s