Bah, SpamAssassin here is picking up lots of attempted viruses being sent to me, which isn’t that strange, except that ClamAV doesn’t spot them. Turns out the reason it’s not spotting them is that when you look at the email it looks like it’s forgetting to attach the virus payload, so it’s actually a completely safe (though annoying) email. D’oh!
The messages have an attachment that’s labelled application/x-compressed & base64 and given the name of a zip file, but then instead of the expected payload it has the text
%TS_ZIP_ATTACH%. I’m not the only one though, there’s plenty of archived messages to lists with the same..
Of course, this begs the question of how it’s spreading in the first place.