Your Ace!

Load Mell PS

 

 

 

-------------------------------------------------------

Load mell   path: \\SDC01\Documents\mrosandich\Documents\WindowsPowerShell\Modules\Load-Mell\load-mell.psm1

Import-Module Load-Mell -DisableNameChecking

Import-Module \\tsclient\C\Users\mrosandich\Desktop\PSM1\Load-Mell\Load-Mell -DisableNameChecking

 

 

Write-Host "   _____         .__  .__    .____                     .___         .___._."

Write-Host "  /     \   ____ |  | |  |   |    |    _________     __| _/____   __| _/| |"

Write-Host " /  \ /  \_/ __ \|  | |  |   |    |   /  _ \__  \   / __ |/ __ \ / __ | | |"

Write-Host "/    Y    \  ___/|  |_|  |__ |    |__(  <_> ) __ \_/ /_/ \  ___// /_/ |  \|"

Write-Host "\____|__  /\___  >____/____/ |_______ \____(____  /\____ |\___  >____ |  __"

Write-Host "        \/     \/                    \/         \/      \/    \/     \/  \/"

Write-Host "---------------------------------------------------------------------------"

Write-Host "Commands:"

Write-Host "Add-WhiteListIP -client pleskname -service mysql -ip x.x.x.x"

Write-Host "Add-WhiteListIP -domain pleskname.com -service mssql -ip x.x.x.x"

Write-Host " "

Write-Host "Check-Ports -ip x.x.x.x -ports 25"

Write-Host "Check-Ports -ip x.x.x.x -ports common"

Write-Host "Check-Ports -ip x.x.x.x -ports `"25,51,80`""

Write-Host "Check-Ports -ip x.x.x.x -ports `"email,51,80`""

Write-Host " "

Write-Host "Check-RDPLogins -days 10"

Write-Host "Check-RDPLogins -hours 12"

Write-Host "Check-RDPLogins -hours 12 -failed"

Write-Host " "

Write-Host "Check-Spamhaus -ip 8.7.5.6"

Write-Host "Check-Spamhaus -ip ifaces"

Write-Host " "

Write-Host "Delete-SpamSmarterMail -action show|delete -pattern `"*v_i_a-g-r-a*`" -directory path -check eml|hdr"

Write-Host " "

Write-Host "Check-Spamhaus -ip 8.7.5.6"

Write-Host "Check-Spamhaus -ip ifaces"

Write-Host " "

Write-Host " ---------- End of Load-Mell commands ---------- "

 

########################################################################

#Check-Port

# Version 1.0

# Created by: Mell Rosandich

########################################################################

 

function Load-Mell {

<#

.SYNOPSIS

This loads all my Powershell modules

 

.DESCRIPTION

This loads all my Powershell modules: Load-Mell

Module Listed:

Add-WhiteListIP

Check-Ports

Delete-SpamSmarterMail

 

.EXAMPLE

Load-Mell

 

 

.NOTES

This loads Mell Stuff

#>

[CmdletBinding()]

param (

 

)

 

PROCESS{

Write-Host "   _____         .__  .__    .____                     .___         .___._."

Write-Host "  /     \   ____ |  | |  |   |    |    _________     __| _/____   __| _/| |"

Write-Host " /  \ /  \_/ __ \|  | |  |   |    |   /  _ \__  \   / __ |/ __ \ / __ | | |"

Write-Host "/    Y    \  ___/|  |_|  |__ |    |__(  <_> ) __ \_/ /_/ \  ___// /_/ |  \|"

Write-Host "\____|__  /\___  >____/____/ |_______ \____(____  /\____ |\___  >____ |  __"

Write-Host "        \/     \/                    \/         \/      \/    \/     \/  \/"

Write-Host "---------------------------------------------------------------------------"

Write-Host "Commands:"

Write-Host "Add-WhiteListIP -client pleskname -service mysql -ip x.x.x.x"

Write-Host "Add-WhiteListIP -domain pleskname.com -service mssql -ip x.x.x.x"

Write-Host " "

Write-Host "Check-Ports -ip x.x.x.x -ports 25"

Write-Host "Check-Ports -ip x.x.x.x -ports common"

Write-Host "Check-Ports -ip x.x.x.x -ports `"25,51,80`""

Write-Host "Check-Ports -ip x.x.x.x -ports `"email,51,80`""

Write-Host " "

Write-Host "Check-RDPLogins -days 10"

Write-Host "Check-RDPLogins -hours 12"

Write-Host "Check-RDPLogins -hours 12 -failed"

Write-Host " "

Write-Host "Check-Spamhaus -ip 8.7.5.6"

Write-Host "Check-Spamhaus -ip ifaces"

Write-Host " "

Write-Host "Delete-SpamSmarterMail -action show|delete -pattern `"*v_i_a-g-r-a*`" -directory path -check eml|hdr"

Write-Host " "

Write-Host "Check-Spamhaus -ip 8.7.5.6"

Write-Host "Check-Spamhaus -ip ifaces"

Write-Host " "

Write-Host " ---------- End of Load-Mell commands ---------- "

 

}#end process

}#end Check-Ports

 

 

 

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#                                 Check-Ports

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

function Check-Ports {

<#

.SYNOPSIS

Checks the port or ports of a local or remote host

 

.DESCRIPTION

This is used to check if a port is open on a local or remote host. You can specify 1 or many.

The port can be a list of ports or verbs. Below is a list of verbs and what ports will be used.

 

Verb Ports

common  21,22,23,25,53,80,110,115,143,443,1443,3306,3389,8172,8306,8443

all     21,22,23,25,26,43,53,67,80,110,115,123,135,137,143,161,443,445,465,993,995,1443,3306,3389,8172,8443

email   25,26,110,143,465,993,995

mail    25,26,110,143,465,993,995

db      3306,1443

vpn     1701,1723

 

.PARAMETER ip

This is optional. Not setting will use local host

 

.PARAMETER port

This is optional. Not setting will use the common ports for windows. you can speificy just 1 port or a list "25,90" or  verb vpn

 

 

.EXAMPLE

check ports on a remote host for common ports

Check-Ports -ip 192.168.1.1 -port common

 

.EXAMPLE

Check ports 80 and 25

Check-Ports -ip 192.168.1.1 -port "25,80"

 

.EXAMPLE

Check ports 25 and vpn ports

Check-Ports -ip 192.168.1.1 -port "25,vpn"

 

.NOTES

Any list of ports must be in quotes "25,vpn"

#>

[CmdletBinding()]

param (

 

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[string[]]$ip,

 

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[string[]]$port

)

 

PROCESS{

if($ip){}else{Write-Host "IP not specified -ip: using localhost";$ip="localhost"}

if( $port){}else{Write-Host "Port not specified -port: using common";$port="common"}

 

#Add new ip ports from largest to smallest since we do a string replace: why cos 8080 and 80 colide

$global:aPortmaps = @{8443="Plesk";8306="PSA";8172="WebMatrix";3389="RDP";3306="MySQL";1443="MSSQL";1723="PPTP";1701="L2TP";995="POP3-Secure";993="IMAP-Secure";465="SMTP-Secure";445="ActiveDir";443="SSL";161="SNMP";110="POP";115="SFTP";123="NTP";135="RPC";137="NetBios";143="IMAP";21="FTP";22="SSH";23="TelNet";25="SMTP";43="WHOIS";53="DNS";67="DHCP";80="WEB";26="SMTP-ALT";}

 

 

function ChangeNamesToNumbers([string]$port)

{

#define some groups

$port = $port.Replace("common","21,22,23,25,53,80,110,115,143,443,1443,3306,3389,8172,8306,8443")

$port = $port.Replace("all","21,22,23,25,26,43,53,67,80,110,115,123,135,137,143,161,443,445,465,993,995,1443,3306,3389,8172,8443")

$port = $port.Replace("email","25,26,110,143,465,993,995")

$port = $port.Replace("mail","25,26,110,143,465,993,995")

$port = $port.Replace("db","3306,1443")

$port = $port.Replace("vpn","1701,1723")

 

foreach ($portnumber in @($global:aPortmaps.keys))

{

$port = $port.Replace($global:aPortmaps[$portnumber],$portnumber)

}

return $port

}

 

 

function NiceNames([string]$InPhrase){

$temp = $InPhrase

foreach ($portnumber in @($global:aPortmaps.keys))

{

if( $portnumber -eq $InPhrase){

$InPhrase = $global:aPortmaps[$portnumber]

}

}

 

if( $temp -ne $InPhrase){

return $InPhrase

}else{

return "---"

}

}

 

function TestIConnections([string]$srv,$port=135,$timeout=3000){

 

try{

$ErrorActionPreference = "SilentlyContinue"

 

$tcpclient = new-Object system.Net.Sockets.TcpClient

$iar = $tcpclient.BeginConnect($srv,$port,$null,$null)

$wait = $iar.AsyncWaitHandle.WaitOne($timeout,$false)

if(!$wait)

{

# Close the connection and report timeout

$tcpclient.Close()

Return $false

}

else

{

# Close the connection and report the error if there is one

$error.Clear()

$tcpclient.EndConnect($iar) | out-Null

if(!$?){$failed = $true}

$tcpclient.Close()

}

if($failed){return $false}else{return $true}

}

catch{

return $false;

}

}

[String]$port = $port;

 

$port = ChangeNamesToNumbers($port);

 

$aPorts = $port.ToString().Split(",")

Write-Host " "

Write-Host "Port `t Service Name `tStatus"

Write-Host "------------------------------------"

 

for($idex=0;$idex -lt $aPorts.length;$idex++){

 

if( $aPorts[$idex] -match "[0-9]" ){

 

$bPortValid = TestIConnections $ip $aPorts[$idex] 4000

$ServiceNamePort = NiceNames $aPorts[$idex]

if( $ServiceNamePort.length -le 5 ){

$ServiceNamePort = $ServiceNamePort + "`t"

}

if($bPortValid){

Write-Host $aPorts[$idex] "`t" $ServiceNamePort "`tGood!" -foregroundcolor Green

}else{

Write-Host $aPorts[$idex] "`t" $ServiceNamePort "`tBAD!" -foregroundcolor Yellow

}

}

else

{

Write-Host $aPorts[$idex] "is not recognized"

}

}

}#end process

}#end Check-Ports

 

 

 

 

 

 

 

 

 

 

 

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#                                 Add-WhiteListIP

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

function Add-WhiteListIP {

<#

.SYNOPSIS

Add a ip address to the whitelist and updates firewall

 

.DESCRIPTION

The Delete-SpamSmarterMail is used to search through file types .eml and .hdr and match against a regular expression. If the regular expression matches The 2 files for that message will be deleted if you are using the action delete. The only optional paramet is directory. When not set it will use what every directoryyou are in. This is recursive, so if you use it in the main spool directory it will search subdirectories as well.

Sample: Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete

 

.PARAMETER ip

Required IP address to be added to the firewall

 

.PARAMETER service

Required Service name: MySQL MSSQL

 

.PARAMETER domain

Clients domain. Used to lookup the client ID

 

.PARAMETER client

Client user name. Used to look up the client ID

 

.EXAMPLE

Add the IP address 8.8.8.8 to the firewall for MySQL client id that owns test.com

Add-WhiteListIP -ip 8.8.8.8 -service MySQL -domain test.com

 

.EXAMPLE

Add the IP address 8.8.8.8 to the firewall for MSSQL client id that uses testpleskid

Add-WhiteListIP -ip 8.8.8.8 -service MSSQL -client testpleskid

 

.NOTES

This is recursive so make sure you use the correct directory

#>

[CmdletBinding()]

param (

[parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string[]]$ip,

 

[parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string[]]$service,

 

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[string[]]$client,

 

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[string[]]$domain

 

 

)#End param

 

PROCESS{

 

[string]$domain = $domain;

[string]$client = $client;

[string]$ip = $ip;

[string]$service = $service;

$global:ServiceName = $service.ToLower()

if( $global:ServiceName -ne "mysql" -and $global:ServiceName -ne "mssql"){Write-Host "-service must be MySQL or MSSQL. help for more information";return}

 

 

 

 

#Information Retrived about the User

[string]$global:cmdflag_domain      = $domain

[string]$global:cmdflag_client      = $client

[string]$global:ClientID            = $null

[string]$global:ClientName          = $null

[string]$global:ClientCName         = $null

[string]$global:ClientEmail         = $null

[array]$global:DomainsNames = $null

[array]$global:DomainsIDs   = $null

 

#Internal Vars

$global:g_BinPath           = $Env:plesk_bin  + '\dbclient.exe'

 

 

 

#Get Client IDs and domains

function GetClientInfo()

{

if( $global:cmdflag_domain -ne $null -and  $global:cmdflag_domain -ne "" )

{

 

Write-Host "Searching Domain" $global:cmdflag_domain

$oDomainsInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select cl_id,name from domains where name=''$global:cmdflag_domain'';'"

 

foreach ($oTemp in $oDomainsInfo)

{

$sTemp = $oTemp.split()

if( $sTemp[1] -eq $global:cmdflag_domain ){ $global:ClientID  = $sTemp[0].trim()}

}

 

if( $global:ClientID -eq $null )

{

Write-Host "Could Not Find Domain"  -foregroundcolor Yellow

return $False

}

 

if( $global:ClientID -ne "" -and $global:ClientID -ne "" ){

 

#set client logon ID

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select login,id from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split()

if( $sTemp[1] -eq $global:ClientID )

{

$global:cmdflag_client  = $sTemp[0].trim();

}

}

#set client name

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,pname from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientName  = $sTemp[1].trim();

}

}

#set company name

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,cname from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientCName  = $sTemp[1].trim();

}

}

 

#set email

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,email from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientEmail  = $sTemp[1].trim();

}

}

 

 

 

}

 

}

if( $global:cmdflag_client -ne $null )

{

 

Write-Host "Searching Client" $global:cmdflag_client

 

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select login,id from clients where login=''$global:cmdflag_client'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split()

if( $sTemp[0] -eq $global:cmdflag_client ){$global:ClientID  = $sTemp[1].trim()}

}

if( $global:ClientID -eq $null )

{

Write-Host "Could Not Find Client" -foregroundcolor Yellow

return $False

}

else

{

Write-Host "Found Client ID:" $global:ClientID

}

#Lets get all the domains

$oDomainsInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select name,id from domains where cl_id=''$global:ClientID'';'"

foreach ($oTemp in $oDomainsInfo)

{

$sTemp = $oTemp.split()

if( $sTemp[0] -ne "" -and $sTemp[0] -ne $null -and $sTemp[0] -ne "name")

{

$global:DomainsNames += $sTemp[0]

$global:DomainsIDs += $sTemp[1]

}

}

#set client name

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,pname from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientName  = $sTemp[1].trim();

}

}

#set company name

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,cname from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientCName  = $sTemp[1].trim();

}

}

 

#set email

$oClientInfo = Invoke-Expression  "& '$global:g_BinPath' --direct-sql --sql='select id,email from clients where id=''$global:ClientID'';'"

foreach ($oTemp in $oClientInfo)

{

$sTemp = $oTemp.split('',2)

if( $sTemp[0] -eq $global:ClientID )

{

$global:ClientEmail  = $sTemp[1].trim();

}

}

}

#Before we regex away lets make sure we got valid data

if( $global:ClientID -ne $null -and $global:ClientID -ne "" -and $global:ClientID -ne 0 )

{

return $TRUE

}

else

{

return $False

}

}

 

 

 

 

function CheckForPleskBin(){

$bValidBin = Test-Path $global:g_BinPath

$sTemptest = $null

if( !$plain ){

if( $bValidBin ){write-host "Found Plesk Bin"}

if($bValidBin -eq $false){write-host "Missing Plesk Bin: Can't continiue"}

}

return $bValidBin

}

 

 

#--------------------------------------------------------------------------------------------

#                                  RUN  -  TIME!

#--------------------------------------------------------------------------------------------

$FoundPleskBin = CheckForPleskBin

if( $FoundPleskBin ){

$FoundClientInfo = GetClientInfo        #get the information about the client based on -domain or -client

if($FoundClientInfo)

{

if( $global:ClientCName -eq $null -or $global:ClientCName -eq "" ){ $global:ClientCName = "none";}

Write-Host "Search Domain used:" $global:cmdflag_domain

Write-Host "Search Client used:" $global:cmdflag_client

Write-Host "Found Client ID:" $global:ClientID

Write-Host "Found Client Name:" $global:ClientName

Write-Host "Found Company Name:" $global:ClientCName

Write-Host "Found EMail as :" $global:ClientEmail

Write-Host "-----------------------------------------------";

#[array]$global:DomainsNames = $null

#[array]$global:DomainsIDs   = $null

 

Write-Host "performing add-hgclient"

$DidAdd = add-hgclient -id $global:ClientID -name $global:ClientName -email $global:ClientEmail -company $global:ClientCName

if( $DidAdd -eq "TRUE" ){write-host "Added client to Database";}else{Write-Host "client was alread in Database";}

$AddFirewall = Add-Whitelist -id $global:ClientID -servicename $global:ServiceName -ip $ip

Write-Host "Added firewall:" $AddFirewall

$PushFirewall = Push-Firewall

Write-Host "Pushing new firewall rules:" $PushFirewall

}

 

}

 

}#end process

}#end  Add-WhiteListIP

 

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#                                 Delete-SpamSmarterMail

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

function Delete-SpamSmarterMail {

<#

.SYNOPSIS

Deletes emails from the smartermail spools that contain spam based on -pattern. This will delete both files of an email (.eml, .hdr)

 

.DESCRIPTION

The Delete-SpamSmarterMail is used to search through file types .eml and .hdr and match against a regular expression. If the regular expression matches The 2 files for that message will be deleted if you are using the action delete. The only optional paramet is directory. When not set it will use what every directoryyou are in. This is recursive, so if you use it in the main spool directory it will search subdirectories as well.

Sample: Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete

 

.PARAMETER directory

This is optional. Not setting this will check the current working directory. Otherwise specify path to spools or spool sub folder

 

.PARAMETER check

This is either eml or hdr. This is what file part of the email will be checked against the pattern

an example of this: -check eml

 

.PARAMETER pattern

This is the regex that will be used to check a file for a match. This will be matched in the file type passed in check.

an example of this: -pattern ".*vigra.*"

 

.PARAMETER action

What to do with the emails that are found: show or delete. Show is none destructive and will list each file found as spam and stop after 20

This is basiaclly used to test you pattern

 

.EXAMPLE

Check email header for the address This email address is being protected from spambots. You need JavaScript enabled to view it. nd delete it. This is in the current working directory

Delete-SpamSmarterMail -pattern ".*me@me\.com.*" -check hdr -action delete

 

.EXAMPLE

Check email message for the word viagra and delete them.

Delete-SpamSmarterMail -pattern ".*vigra.*" -check eml -action delete -directory "c:\smartermail\spool"

 

.NOTES

This is recursive so make sure you use the correct directory

#>

[CmdletBinding()]

param (

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[AllowEmptyString()]

[string[]]$directory,

 

[parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string[]]$pattern,

 

[parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string[]]$check,

 

[parameter(Mandatory=$true,ValueFromPipeline=$true)]

[string[]]$action

 

)#End param

 

PROCESS{

#Give user feed back for switches and help

if( $pattern.ToString().length -lt 4){ Write-Host "-pattern is required and should be a regex. help for more information";return}

if( $check -ne "eml" -and $check -ne "hdr"){Write-Host "-check must be hdr or eml. help for more information";return}

if( $action -ne "show" -and $action -ne "delete"){Write-Host "-acion must be show or delete. help for more information";return}

 

 

 

#This function does 2 things

#returns 0|1 if found spam in file

#Deletes or shows files found

function  Check-ForSpam($file){

if($file){

$RetVal = 0

$ShowCount = 0

$data = Get-Content $file

foreach( $line in $data )

{

if ($line -match $pattern)

{

$RetVal = 1

}

}

 

if( $RetVal -eq 1 ){

if( $check -eq "hdr" ){

$tempFile = $file -replace ".hdr$" , ".eml"

}

if( $check -eq "eml" ){

$tempFile = $file -replace ".eml$" , ".hdr"

}

 

if( $action -eq "delete" ){

#file may be missing .eml or .hdr or inuse ot missing at this time

#Try to delete them and move on.

try{

Remove-Item $file

}catch{}

try{

Remove-Item $tempFile

}catch{}

}

if( $action -eq "show" ){

Write-Host "Would Delete:" $file

Write-Host "Would Delete:" $tempFile

$ShowCount++

if( $ShowCount -gt 20 ){

exit

}

}

 

 

 

}

}

return $RetVal

}

 

if($directory){

$bValidBin = Test-Path $directory

if( $bValidBin ){

$directory = (Get-Item $directory);

write-host "Using -direcoty Path" $directory

}else{

Write-Host "Directory specified doesn't exsist";

Write-Host "You Entered: -diectory" $directory

Write-Host "Please Try again. You can cd into the spool directory then not specify -diretory"

return;

}

}

else

{

$wdirectory  = (Get-Location);

$directory = (Get-Item $wdirectory);

write-host "Using CWD Path" $directory

}

 

 

$counter = 0

$NotSPam = 0

$IsSPam = 0

 

if( $check -eq "hdr" ){

[regex] $filter = ".*\.hdr"

}

if( $check -eq "eml" ){

[regex] $filter = ".*\.eml"

}

 

#This can take some time to load this object

$files = (Get-ChildItem -recurse $directory | where { !$_.PSIsContainer -and $_.FullName -match $filter })

 

#This stops the division by zero error for some cases

[int]$FileCount = $files.Count

if( $FileCount -lt 1 ){ $FileCount = 1 }

 

foreach ( $file in $files ) {

 

#Since $files might be giant

#We offer another soultion to exit the script

#it is still [control] c but we are not requiring the break on update for console

#this will exit more often then not when used vs not having it at all

if ([console]::KeyAvailable)

{

$key = [system.console]::readkey($true)

if (($key.modifiers -band [consolemodifiers]"control") -and (($key.key -eq "C") -or ($key.key -eq "c") ))

{

write-host "Terminating..."

return

}

}

 

#Just count what is spam and what isn't

 

#this will get the full path to the file we went to regex

$file = $file.FullName;

if(  Check-ForSpam( $file) -eq 1 ){

$counter++

$isSpam++;

write-Progress -activity "$activity  $file" -status "checking emails" -percentComplete ($counter / $FileCount)

 

}

else

{

$counter++

$NotSPam++

write-Progress -activity "Ignoring  $file" -status "No Spam: " -percentComplete ($counter / $FileCount)

}

}

 

 

write-host "Total Not Spam: $NotSPam"

write-host "Total Is Spam: $isSpam"

write-host "--------------------------"

write-host "Total Items: $counter"

}#End process

}#End Function

 

 

 

 

 

 

 

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#                                 Check-RDPLogins

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

function Check-RDPLogins {

<#

.SYNOPSIS

List all RDP logins

 

.DESCRIPTION

This will generate a list of good logins that have recently RDPd into the server. no swtiches is 1 day back

 

.PARAMETER days

optional: How many days to go back from now default is 1 day

 

.PARAMETER hours

optional: How many hours to go back from now. no default.

 

.PARAMETER failed

optional: show only failed logins. Default is to show good logins

 

.EXAMPLE

Check-RDPLogins -days 30

 

 

.NOTES

Pretty output don't pipe

#>

[CmdletBinding()]

param (

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[int]$days,

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[switch]$failed,

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[int]$hours

 

 

)#End param

 

PROCESS{

[int]$intDays = 1;

if($days)

{

$intDays= [int]$days

Write-Host "Going back $intDays";

[Double]$NewDay = -1*$intDays;

$DT = [DateTime]::Now.AddDays($NewDay)

 

}

else

{

if($hours){

Write-Host "Going back $hours hours"

[Double]$NewHours = -1*$hours;

$DT = [DateTime]::Now.AddHours($NewHours)

}

else

{

Write-Host "Days not specified going back 1 day";

$intDays=1

[Double]$NewDay = -1*$intDays;

$DT = [DateTime]::Now.AddDays($NewDay)

}

}

$IPColmn = 18;

if($failed){

$IPColmn = 19;

Write-Host "Checking Failed Logins"

$evt = Get-WinEvent  -FilterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='10']]"  | Where-Object {$_.TimeCreated -ge $DT }

}

else

{

Write-Host "Checking Good Logins"

$evt = Get-WinEvent  -FilterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='LogonType']='10']]"  | Where-Object {$_.TimeCreated -ge $DT }

}

 

$groups = $evt | group {$_.properties[5].value}

Write-Host "Last login for users:"

$groups | Foreach {$_.group[0]} | select @{n="UserName";e={$_.properties[5].value}},@{n="LogOn";e={$_.TimeCreated}},@{n="IP Address";e={$_.properties[$IPColmn].value}}

#,@{n="IP Address3";e={$_.properties[3].value}},@{n="IP Address4";e={$_.properties[4].value}},@{n="IP Address5";e={$_.properties[5].value}},@{n="IP Address6";e={$_.properties[6].value}},@{n="IP Address7";e={$_.properties[7].value}},@{n="IP Address8";e={$_.properties[8].value}},@{n="IP Address9";e={$_.properties[9].value}},@{n="IP Address10";e={$_.properties[10].value}},@{n="IP Address11";e={$_.properties[11].value}},@{n="IP Address12";e={$_.properties[12].value}},@{n="IP Address13";e={$_.properties[13].value}},@{n="IP Address";e={$_.properties[13].value}},@{n="IP Address14";e={$_.properties[14].value}},@{n="IP Address15";e={$_.properties[15].value}},@{n="IP Address16";e={$_.properties[16].value}},@{n="IP Address17";e={$_.properties[17].value}},@{n="IP Address19";e={$_.properties[19].value}},@{n="IP Address20";e={$_.properties[20].value}},@{n="IP Address21";e={$_.properties[21].value}}

 

Write-Host " "

Write-Host "List of logins and times:"

"" | Foreach {$evt} | select @{n="UserName";e={$_.properties[5].value}},@{n="LogOn";e={$_.TimeCreated}},@{n="IP Address";e={$_.properties[$IPColmn].value}}

 

 

}#End Process

}#End Fucntion Check-RDPLogins

 

 

 

 

########################################################################

# Check-Spamhaus

# Version 1.0

# Created by: Mell Rosandich

########################################################################

function Check-Spamhaus {

<#

.SYNOPSIS

Checks an IP address against DNSBLS

 

.DESCRIPTION

This command will check an IP or all IPv4 Address against a list of DNSBLs

 

.PARAMETER ip

The ip address you want to check or use ifaces for all IPv4 ip addresses on server

 

.EXAMPLE

check an ip address

Check-Spamhaus -ip 8.8.8.8

 

.EXAMPLE

check all ipv4 address on host

Check-Spamhaus -ip ifaces

 

 

.NOTES

Only works for IPv4

#>

[CmdletBinding()]

param (

 

[parameter(Mandatory=$false,ValueFromPipeline=$true)]

[string[]]$ip

)

 

PROCESS{

[String]$ip = $ip;

if( $ip.length -lt 3 ){Write-Host "IP not specified -ip: using localhost";$ip="localhost"}

 

function CheckDNSBL($ip) {

Write-Host "Checking IP:" $ip

$reverseIP = ($ip.split("."))[3..0]

[string[]]$newIP = [string]::join(".",$reverseIP)

 

[string[]]$dnsbl = @(

"b.barracudacentral.org";

"bl.deadbeef.com";

"bl.emailbasura.org";

"bl.spamcannibal.org";

"bl.spamcop.net";

"blackholes.five-ten-sg.com";

"blacklist.woody.ch";

"bogons.cymru.com";

"cbl.abuseat.org";

"cdl.anti-spam.org.cn";

"combined.abuse.ch";

"combined.rbl.msrbl.net";

"db.wpbl.info";

"dnsbl-1.uceprotect.net";

"dnsbl-2.uceprotect.net";

"dnsbl-3.uceprotect.net";

"dnsbl.ahbl.org";

"dnsbl.cyberlogic.net";

"dnsbl.inps.de";

"dnsbl.njabl.org";

"dnsbl.sorbs.net";

"drone.abuse.ch";

"drone.abuse.ch";

"duinv.aupads.org";

"dul.dnsbl.sorbs.net";

"dul.ru";

"dyna.spamrats.com";

"dynip.rothen.com";

"http.dnsbl.sorbs.net";

"images.rbl.msrbl.net";

"ips.backscatterer.org";

"ix.dnsbl.manitu.net";

"korea.services.net";

"misc.dnsbl.sorbs.net";

"noptr.spamrats.com";

"ohps.dnsbl.net.au";

"omrs.dnsbl.net.au";

"orvedb.aupads.org";

"osps.dnsbl.net.au";

"osrs.dnsbl.net.au";

"owfs.dnsbl.net.au";

"owps.dnsbl.net.au";

"pbl.spamhaus.org";

"phishing.rbl.msrbl.net";

"probes.dnsbl.net.au";

"proxy.bl.gweep.ca";

"proxy.block.transip.nl";

"psbl.surriel.com";

"rbl.interserver.net";

"rdts.dnsbl.net.au";

"relays.bl.gweep.ca";

"relays.bl.kundenserver.de";

"relays.nether.net";

"residential.block.transip.nl";

"ricn.dnsbl.net.au";

"rmst.dnsbl.net.au";

"sbl.spamhaus.org";

"short.rbl.jp";

"smtp.dnsbl.sorbs.net";

"socks.dnsbl.sorbs.net";

"spam.abuse.ch";

"spam.dnsbl.sorbs.net";

"spam.rbl.msrbl.net";

"spam.spamrats.com";

"spamlist.or.kr";

"spamrbl.imp.ch";

"t3direct.dnsbl.net.au";

"tor.ahbl.org";

"tor.dnsbl.sectoor.de";

"torserver.tor.dnsbl.sectoor.de";

"ubl.lashback.com";

"ubl.unsubscore.com";

"virbl.bit.nl";

"virus.rbl.jp";

"virus.rbl.msrbl.net";

"web.dnsbl.sorbs.net";

"wormrbl.imp.ch";

"xbl.spamhaus.org";

"zen.spamhaus.org";

"zombie.dnsbl.sorbs.net"

)

 

 

[string[]]$newDNSBL =@()

foreach ($hash in $dnsbl)

{

$newDNSBL += [string]$newIP+'.'+$hash

}

 

[String]$temp = @()

 

for ($i=1;$i -lt $newDNSBL.Count; $i++) {

try{

$temp = [System.Net.Dns]::GetHostAddresses($newDNSBL[$i]) | select-object IPAddressToString -expandproperty  IPAddressToString

}

catch{

$temp = ''

}

switch($temp){

 

 

'127.0.0.10'{

Write-Host "IP $ip is listed in DNSBL " , ($newDNSBL[$i]).Replace("$newIP","") -foregroundcolor "Red"

}

 

 

''{

"IP $ip is NOT listed in DNSBL " + ($newDNSBL[$i]).Replace("$newIP","")

}

} # End Switch

} # End of For Loop

 

} # End of Function CheckDNSBL

 

if( $ip -ne 'ifaces' )

{

CheckDNSBL $ip

}

else

{

$colItems = Get-WmiObject Win32_NetworkAdapterConfiguration  | where{$_.IPAddress -like '*.*.*.*'}

 

foreach($objItem in $colItems) {

$IPColl = $objItem.IPAddress

foreach($IpV4Addy in $IPColl){

if( $IpV4Addy.StartsWith("10.") ){

#ignore

}

else

{

if( $IpV4Addy -like '*.*.*.*'){

#Write-Host "IP Address:" $objItem.IPAddress[0]

CheckDNSBL $IpV4Addy

#CheckDNSBL  $objItem.IPAddress[1]

}

}

}

}

 

}#end if

}#end process

}#end Check-Spamhaus