On classifying phish spam as malware, an update
Back a number of years ago I noted that our commercial anti-spam filter was counting some varieties of phish spam as 'viruses', and I wrote some thoughts on why this might make sense. I now think that I was partly wrong about some of why the filter was acting this way. What's happened since then is that we now log some information about the structure of incoming messages as part of logging MIME attachment type information, which has given me the opportunity to see more information about the structure of many of these messages.
So here is a typical entry from our logs of the rejection, giving the information the anti-spam filter gave us:
rejected 1byktC-00047A-8j from firstname.lastname@example.org to <redacted>: identified virus: Mal/Phish-A
And here is the MIME attachment type information for the same message:
1byktC-00047A-8j attachment application/octet-stream; MIME file ext: .html
That's right: as far as I can tell, all of the phish spam being
rejected this way has had a
.html attachment. This sample was in
a MIME multipart/mixed structure; the other part of parts of the
structure were something we consider uninteresting and didn't log.
To me, this puts a somewhat different spin on our commercial anti-spam filter detecting phish spam. The entire purpose of its virus detecting side of things is to look at attachments and detect bad stuff (and then strip it out). Should it pass up detecting phish stuff in attachments, just because that's a different sort of bad stuff than it normally looks for?
(Since you can embed other sorts of malware in
(and people do), the virus detecting side already has to look at
There's still a conscious choice here to include phish as part of the 'malware' that the anti-virus detection looks for, but I think it's a more natural thing to do this to attachments that the software is already scanning for other things. It's less of a special case for both detection and, presumably, for stripping out these attachments as it does for other virus-contaminated attachments.
PS: Sophos's detailed information page on this label does specifically mention that these web pages are often sent as (spam) attachments.