Quoting James K. Lowden (jklowden@schemamania.org):
> On Sat, 31 Jan 2004 23:05:46 -0800, "David S." <davids@idiom.com> wrote:
...
> Spam I actually have under control, pretty much, famous last words.  
> 
> Viruses are a nuisance, though, because they originate from anywhere, and
> sometimes superficially seem to be from someone I know (by design).  The
> payload of a virus-sent message, I believe, is fixed, which is why I want
> to analyze the attachment in the MTA.  If I get clever enough, I won't
> even maintain my "known attachments" list manually.  I'll keep a digest of
> every attachment ever received, and the location of the file, if any.  
> 
> The probability of any two people sending me the same attachment for
> ligitimate reasons is really, really small, and from three people, smaller
> still.  If the same thing arrives three times, I'd be happy to have my
> system assume it's a virus and react accordingly.  Beats waking up to 100
> useless messages the next morning.   
> 
> Per Perry's suggestion, I already reject most attachment types, but .zip I
> allow, for obvious reasons.  Automatic examination of the attachment seems
> like the next logical step.  


Again, vipul's razor was designed (2001?) along these lines.

- Read a mail
- "normalize it"  (attempt to identify unique things like "Dear $RECIPIENT"
  and those bits of random text within)
- Derive a checksum
- Contact a central repository with said checksum to see if it's
  been turned in as spam already.


Note too that MimeDefang is a fine and EASY place do to what you want.
You could even get twisted and submit the Checksum to your DNS server
as a dynamic entry with nsupdate.

Look it up in DNS, if it fails:
Put it into "$CHECKSUM.attachmentsums.example.com" with a 5 day lifetime.
DDNS in bind will expire it after 5 days.