Wandering Thoughts archives

On classifying phish spam as malware

As I noted recently, our commercial anti-spam filter counts at least some varieties of phish spam as 'viruses', by which it means malware in general. I find myself with divided opinions on this.

On the one hand, phish spam does not fit the traditional definition of malware. There is no executable (however well disguised) that will do bad things to your machine; all of the bad things that phish spam does happen in the human being in front of the computer. In theory the purpose of an anti-spam and anti-virus system stripping malware from email is partly that such malware is extremely damaging and all but impossible for people to detect themselves (if they even get a chance). Phish spam doesn't have this clearly damaging property.

On the other hand, phish spam does clearly have a very bad effect on your computing environment. You would block a trojan that passively stole passwords; well, phish spam is that trojan without an executable but with getting your users to just give their passwords to the attacker. If your anti-virus filter's job is to prevent damage to your computer systems, classifying phish spam as a form of malware and stripping it from inbound email makes a decent amount of sense.

Does this issue matter in practice? It may. The problem is user expectations and especially false positives in an environment where some users do not want the mail system to do spam filtering for them.

(My feeling is that false positives on phish spam are both more likely and more dangerous than for other sorts of malware because phish spam doesn't involve code, just natural language. Lots of normal, legitimate email is natural language; very little involves executable code. Of course a lot depends on how narrow or broad the 'phish as malware' detection is, ranging from known phish attacks all the way out to things that score as sufficiently phish-like.)

Looking at how many viruses we've seen in email recently

Once upon a time people were very worried about viruses being spread through email and devoted a lot of time and effort to eradicating them (sometimes going so far as to refuse all zipfiles and the like). The last time I looked at this we had very few viruses being recognized, but that was a couple of years ago and today I was curious to see if things had changed.

(Technically what I am actually looking at is the amount of detected malware. Viruses are only one of the types of malware that can be spread through email.)

Because our email system does two stages of filtering I have to give two sets of numbers. All of these are over the last 30 days because I decided that that was a good time range for 'current activity'. First, in our SMTP-time milter based filtering, which only covers some email, we checked 44,000 messages and found 316 'viruses'. This is actually highly misleading because our commercial black box spam+AV filter classifies some phish messages as viruses instead of plain spam. It turns out that most of the detected viruses were in fact phishing messages; 232 out of 318, leaving 84 real viruses.

The main anti-spam processing (which every accepted email goes through) handled 503,000 messages and found 2,445 viruses. Again this includes some phishing messages but this time a lot fewer, only 913. That leaves 1,532 real viruses or a detected virus rate of 0.3% of our incoming email.

Actual malware is potentially very damaging, so I'm glad we have the anti-virus filtering even if we don't see many of them. I might feel differently if we paid any significant amount of money for it (although there are free options if we ever need them).

(I was going to say something about classifying phish spam as malware but my thoughts on this are long enough that I want to put them in a separate entry.)