0

I'm working on finding infection points in EML file format. Want to know on what grounds does a scanner declare an email as spam or attachment as malicious?

I mean does it scan by MIME content or any other pointer, Is malicious content detectable based on just file type/MIME content? How is the attachment scanned?

I had put the EICAR test string on a check against ESET scan to detect it as malicious, but the file came out clean, whereas all standard anti viruses declare the EICAR as antivirus test or something of sorts.

rhym1n
  • 3
  • 5

1 Answers1

2

Spam and malware detection on mail files is done with a variety of techniques. To give you some idea of the techniques and heuristics involved here are some examples. Note that these examples are far from a complete list:

  • Information about the delivery path in the mail header, i.e. Received header. These might be used to extract the sender IP address and check against blacklists. Also DKIM-Signature and Received-SPF headers, typical spam subjects or similar.
  • Type and structure of attachments, i.e. a ZIP file with a *.js file inside is typically malware. A HTML attachment with Javascript is often phishing. Office documented embedded in PDF is usually malware too etc.
  • The content of attachments checked by an Antivirus, i.e. check for macros in word documents or similar.
  • Links included in the mail which refer to phishing sites.
  • Comparison with previously classified mails, i.e. similarity to known spam, phishing or malware.
  • ...

Note that most of these are just heuristics. This means that even if some features are very typical for spam or phishing they might sometimes happen in innocent mails too. Thus there is always a chance that a detection is actually a false positive, i.e. something innocent detected as bad. Similar there is always the chance that something bad is not detected and considered innocent (false negative).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Is it possible to get more details about the pointers you've mentioned here steffen? Can I get an exhaustive list of heuristics, maybe? – rhym1n Aug 21 '17 at 06:34
  • @rhym1n: I doubt that you can get an exhaustive list anywhere since especially the heuristics are continuously evolving while attackers try to bypass existing heuristics. I think you have to dig deeper into scientific publications to get a feeling what can be done and then derive from that what could be done in practice. Definitely a broad and not an easy topic. – Steffen Ullrich Aug 21 '17 at 07:49
  • Much thanks, Steffen, I'll do so and will reach out in case I need your help again! – rhym1n Aug 21 '17 at 10:00