Wandering Thoughts archives


On classifying phish spam as malware, an update

Back a number of years ago I noted that our commercial anti-spam filter was counting some varieties of phish spam as 'viruses', and I wrote some thoughts on why this might make sense. I now think that I was partly wrong about some of why the filter was acting this way. What's happened since then is that we now log some information about the structure of incoming messages as part of logging MIME attachment type information, which has given me the opportunity to see more information about the structure of many of these messages.

So here is a typical entry from our logs of the rejection, giving the information the anti-spam filter gave us:

rejected 1byktC-00047A-8j from to <redacted>: identified virus: Mal/Phish-A

And here is the MIME attachment type information for the same message:

1byktC-00047A-8j attachment application/octet-stream; MIME file ext: .html

That's right: as far as I can tell, all of the phish spam being rejected this way has had a .html attachment. This sample was in a MIME multipart/mixed structure; the other part of parts of the structure were something we consider uninteresting and didn't log.

To me, this puts a somewhat different spin on our commercial anti-spam filter detecting phish spam. The entire purpose of its virus detecting side of things is to look at attachments and detect bad stuff (and then strip it out). Should it pass up detecting phish stuff in attachments, just because that's a different sort of bad stuff than it normally looks for?

(Since you can embed other sorts of malware in .html attachments (and people do), the virus detecting side already has to look at such attachments.)

There's still a conscious choice here to include phish as part of the 'malware' that the anti-virus detection looks for, but I think it's a more natural thing to do this to attachments that the software is already scanning for other things. It's less of a special case for both detection and, presumably, for stripping out these attachments as it does for other virus-contaminated attachments.

PS: Sophos's detailed information page on this label does specifically mention that these web pages are often sent as (spam) attachments.

spam/PhishAsMalwareII written at 21:43:27; Add Comment

How I've wound up being one of the people who don't update IoT firmware

The security of various assorted devices that make up the broad Internet of Things have been in the news recently, both for direct IoT devices like thermostats and fridges, but also for the more broad category of Internet-related boxes like DSL routers and wireless access points (often these are the same device, of course). In the spirit of this I tweeted this admission:

True story: I have no idea how to get firmware updates for my DSL modem/router. The actual maker (Smart/RG) doesn't seem to distribute them.

Twitter isn't the right place for long explanations, so let's cover how a sysadmin who knows something about security wound up in this potential mess.

When I moved from plain DSL to VDSL, I needed a new VDSL-capable modem, so I did the obvious thing; I asked the little boutique ISP what they recommended for this. They said 'we recommend the Smart/RG SR505N, but we don't sell them so you'll have to find a reseller'. Smart/RG apparently makes well regarded products but they don't try to sell them directly to end users like me. Instead Smart/RG focus on distributing products through (large) ISPs, where the ISP either sells or rents you the DSL router or whatever. There are a number of ISPs in Canada and even in Ontario that distribute them to customers, but of course you have to be a customer of the ISP. Well, no matter, I found a reseller on Amazon, ordered a unit, and got it. Since my SR505N comes straight from a reseller, its firmware is unbranded, unrestricted and unlocked, and configured generically (to the point where making it work with the local VDSL took some flailing around).

Since Smart/RG's focus is on distributing through ISPs, they don't seem to make any sort of firmware updates available on their website. This is perfectly sensible from Smart/RG's perspective, and in fact for an average customer it's entirely the right answer; it could be a disaster for a customer to overwrite a carefully set up and configured ISP-specific firmware image with a generic one pulled from Smart/RG's site. Since the SR505N seems to be popular with ISPs, various ISPs make various firmware update images generally available on their websites (eg, and, and).

You'll notice that all of those ISPs I linked to have different firmware versions. That's one of the problems with just grabbing one of them and trying a firmware update; which version is the right version to use? Is Teksavvy still on the older version because they've determined that there is some problem with the newer one, or because they haven't gotten around to testing anything more recent (perhaps because they consider the fixes unimportant)? The other problem is the inverse of Smart/RG's problem, namely that if I update to an ISP's firmware image I presumably get their branding, their embedded configuration, and perhaps their restrictions (if any). This could easily cause havoc (or at least annoyance) with my perfectly fine current setup.

In theory perhaps the reseller I got my SR505N from should be providing me with firmware updates. In practice, no, this is not happening. The reseller is an Amazon storefront and their business is getting things from companies that don't normally deal with end users and selling said things to end users. This is a useful service and it certainly involves devices with firmware updates, but asking them to test, qualify, and distribute firmware updates is well beyond what you can expect for customer support. For a start, there's no (additional) money in it, unlike with an ISP dealing with a customer.

So there I am. I have a perfectly good VDSL router (which I mostly use as a VDSL modem), but I can't feasibly get firmware updates for it unless it's a dire emergency (at which point I'd have to try firmware updates from random ISPs). And I don't feel that anyone involved in this entire chain of circumstances did anything wrong; we all made completely rational decisions. We just collectively wound up with my Smart/RG SR505N VSDL router being another little piece in the Internet of potentially vulnerable and not being updated Things.

(I maintain my decision was rational; my actual goal was upgrading to VDSL service and the VDSL router was and is a tool to get there. I wanted an appliance and I got an appliance. I definitely did not want to spend weeks trying to research and order an open source friendly VDSL router/modem, presuming such a thing even exists in the first place.)

tech/MyDSLRouterNoFirmwareUpdates written at 01:20:07; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.