Prevenir los NDR’s

# Get the date and time for 15 minutes ago. This will be the starting point to search the transport logs 
$strDate = Get-Date
$strStartFrom = $strDate - "00:15:00"
 
# Get all the users who forwarded non-delivered messages to external users in the last 15 minutes. Group them so we can analyze the total number of e-mails sent
$strNDRs = Get-TransportServer | Get-MessageTrackingLog -ResultSize Unlimited -Start $strStartFrom -EventId SEND | ? {($_.MessageSubject -match "FW: There was an error sending your mail") -or ($_.MessageSubject -match "FW: Mail delivery failed") -or ($_.MessageSubject -match "FW: failure notice")} | Group Sender
 
# For each sender, check if they sent more than 25 e-mails
ForEach ($strNDR in $strNDRs)
{
    # If they sent more than 25 e-mails (in the last 15 minutes) create the transport rule and send an e-mail to the administrator
    If ($strNDR.Count -ge 25)
    {
        # Create the Transport Rule
        # For every e-mail sent by that user
        $condition1 = Get-TransportRulePredicate From
        $condition1.Addresses = @(Get-Mailbox $strNDR.Name)
        
        # only when the e-mail is going Outside the organization
        $condition2 = Get-TransportRulePredicate SentToScope
        $condition2.Scope = @("NotInOrganization")
        
        # and only when the subject contains any of these phrases
        $condition3 = Get-TransportRulePredicate SubjectContains
        $condition3.Words = @("FW: There was an error sending your mail", "FW: Mail delivery failed", "FW: failure notice")
        
        # Redirect the FW e-mail to the Quarantine NDRs mailbox
        $action = Get-TransportRuleAction RedirectMessage
        $action.Addresses = @(Get-Mailbox quarantine)
        
        # Get the user's alias from the e-mail address to create the transport rule with it
        $strName = [regex]::split($strNDR.Name, "@")[0]
        
        # Create the Transport Rule itself
        New-TransportRule -Name "Prevent NDRs Storm - $strName" -Comments "Prevent NDRs Storm by blocking specific sender after searching the Transport Logs for more than 25 e-mails forwarded by one single user" -Conditions @($condition1, $condition2, $condition3) -Actions @($action) -Enabled $True -Priority 0
        
        
        # Send the E-mail to the administrator
        $body = ""
        $body += "`n**********************************"
        $body += "`n*                                *"
        $body += "`n*  WARNING: NDR Storm Prevented  *"
        $body += "`n*                                *"
        $body += "`n**********************************"
        $body += "`n`nTransport Rule Created for ", $strNDR.Name
        $body += "`n`nFW e-mails: ", $strNDR.Count
        
        $FromAddress = "ndr.storm@xxxxx"
        $ToAddress = "n.mota@xxxxx"
        $MessageSubject = "NDRs Storm!"
        
        $SendingServer = "EXHUBCAS1"
        
        $SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $body
        
        $SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
        $SMTPClient.Send($SMTPMessage)
    }
}
Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s