On classifying phish spam as malware

August 25, 2013

As I noted recently, our commercial anti-spam filter counts at least some varieties of phish spam as 'viruses', by which it means malware in general. I find myself with divided opinions on this.

On the one hand, phish spam does not fit the traditional definition of malware. There is no executable (however well disguised) that will do bad things to your machine; all of the bad things that phish spam does happen in the human being in front of the computer. In theory the purpose of an anti-spam and anti-virus system stripping malware from email is partly that such malware is extremely damaging and all but impossible for people to detect themselves (if they even get a chance). Phish spam doesn't have this clearly damaging property.

On the other hand, phish spam does clearly have a very bad effect on your computing environment. You would block a trojan that passively stole passwords; well, phish spam is that trojan without an executable but with getting your users to just give their passwords to the attacker. If your anti-virus filter's job is to prevent damage to your computer systems, classifying phish spam as a form of malware and stripping it from inbound email makes a decent amount of sense.

Does this issue matter in practice? It may. The problem is user expectations and especially false positives in an environment where some users do not want the mail system to do spam filtering for them.

(My feeling is that false positives on phish spam are both more likely and more dangerous than for other sorts of malware because phish spam doesn't involve code, just natural language. Lots of normal, legitimate email is natural language; very little involves executable code. Of course a lot depends on how narrow or broad the 'phish as malware' detection is, ranging from known phish attacks all the way out to things that score as sufficiently phish-like.)

Comments on this page:

From at 2013-08-26 20:40:08:

I'm not sure what the company backing it seems to have against having a category called Suspected Phishing, or even just a more alarmist PHISHING!!! Unless it's for marketing purposes.

- MP

By cks at 2013-08-26 23:15:21:

It's clearly a conscious decision. This commercial software has both anti-spam and anti-virus functions; spam is scored, while 'viruses' are normally stripped and/or quarantined (we just strip). Some phish spam simply gets scored as spam but some gets classified as a virus that the software labels as 'Mal/Phish-A' and is then subject to the anti-virus actions (which in our setup are much more aggressive and cannot be opted out of; I think this is also true of the software's default setup).

Given this I have to assume that the software designers actively wanted at least some phish spam to be aggressively filtered out, much more so than ordinary spam. My entry is thinking out loud about whether this makes sense and is justifiable.

Written on 25 August 2013.
« Adding basic quoting to your use of GNU Readline
An example GNU Readline quoting function »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Aug 25 23:26:16 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.