The following should go into mime_header_checks.regexp assuming you’re running Postfix. Which you should be.
/filename=”?body.zip”/ DISCARD Virus spam discarded (W32.Novarg.A@mm)
No point REJECTing it, since you’d just be sending it back to an already-infected victim.
OK, it turns out that the filename varies. For the moment, I’m dropping everything with a .zip attachment. I’ve gotten a HUGE surge in inbound email in the last 2 or 3 hours, MOST of it consisting of this virus message, and almost all of it is coming from two addresses: 18.104.22.168 and 22.214.171.124 I don’t know who this is, but they are making dozens of connections per second to deliver mail. Or at least, they were, until I told the firewall about them.
I hope they stop soon.