better techniques to identify and remove zero-day viruses from cyrus store sought

[Jorey Bump]

John Crawford wrote:

> What's the best way, and second best way to react to zero-day virus
> threats - messages that are delivered to the mail store before the
> detection is in place? 

Any detection that can take place in the mail store can (and should) be 
moved up the chain, preferably to the MTA.

> Is there a best practice that functions nicely
> within the cyrus community? 

Yes, once a message is delivered, leave it alone. The most you should do 
  at that point is maybe provide an opt-in sieve rule that stores 
suspicious messages in a special folder. But even this has caveats, and 
I prefer to let the users sort their own mail.