From 0489be1e7d9ef45deca7a8cadd21793a34ef712e Mon Sep 17 00:00:00 2001
From: "Mariusz B. / mgeeky" <mb@binary-offensive.com>
Date: Tue, 27 Jun 2023 21:15:51 +0200
Subject: [PATCH] Added two Office365 opaque rules: 42882007 and 78352004
 identified by ipSlav

---
 README.md              | 12 +++++++++++-
 decode-spam-headers.py |  6 +++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9eb0aa4..fe75b4f 100644
--- a/README.md
+++ b/README.md
@@ -262,7 +262,11 @@ Having sent more than 60 mails already, this is what I can tell by now about Mic
 
         # Triggered on an empty text message, subject "test" - that was marked with "Domain Impersonation", however 
         # ForeFront Anti-Spam headers did not support that Domain Impersonation. Weird.
-        '22186003' : '(GUESSING) Something to do with either Text message (non-HTML) or probable Domain Impersonation'
+        '22186003' : '(GUESSING) Something to do with either Text message (non-HTML) or probable Domain Impersonation',
+
+        # Found by @ipSlav (https://github.com/mgeeky/decode-spam-headers/issues/15)
+        '42882007' : 'Missing Reply-To Address. Might be fixed by adding -ReplyTo flag to Send-MailMessage',
+        '78352004' : 'Missing Reply-To Address. Might be fixed by adding -ReplyTo flag to Send-MailMessage',
     }
 ```
 
@@ -669,6 +673,12 @@ ANALYSIS:
                 - But instead first hop resolved to:    arubacloud.pl
 ```
 
+---
+
+### Credits
+
+- [ipSlav](https://github.com/ipSlav) - for [identifying two Office365 opaque rules](https://github.com/mgeeky/decode-spam-headers/issues/15): `42882007` and `78352004`
+
 
 ---
 
diff --git a/decode-spam-headers.py b/decode-spam-headers.py
index dcb3ab1..ff0c538 100644
--- a/decode-spam-headers.py
+++ b/decode-spam-headers.py
@@ -900,7 +900,11 @@ class SMTPHeadersAnalysis:
 
         # Triggered on an empty text message, subject "test" - that was marked with "Domain Impersonation", however 
         # ForeFront Anti-Spam headers did not support that Domain Impersonation. Weird.
-        '22186003' : '(GUESSING) Something to do with either Text message (non-HTML) or probable Domain Impersonation'
+        '22186003' : '(GUESSING) Something to do with either Text message (non-HTML) or probable Domain Impersonation',
+
+        # Found by @ipSlav (https://github.com/mgeeky/decode-spam-headers/issues/15)
+        '42882007' : 'Missing Reply-To Address. Might be fixed by adding -ReplyTo flag to Send-MailMessage',
+        '78352004' : 'Missing Reply-To Address. Might be fixed by adding -ReplyTo flag to Send-MailMessage',
     }
 
     ForeFront_Spam_Confidence_Levels = {