how to find protocol inside protocols

like sometimes we are receiving some mail with virus,malware,spam,trojans etc but most these mail are coming through HTTP port.but exactly there is an encaptulation the virus or malware producers putting there malware in side HHTP protocol to hide it.is there any functionality to find out is is a malware encapsulated data or a legitimate deta?