I’ve recently configured my MTA to drop emails with embedded MS Office Macros (a very popular way of distributing malware).
You can get the odd valid macro-enabled Office doc, so I’ve written a script to alert me when emails are dropped, it’s available on GitHub
Configure in /etc/clamsmtpd.conf as below:
VirusAction: /usr/local/bin/clamsmtp-action.py -t email@example.com
(other switches available, read the source or run with -h)