Let's talk about those works of art that elude our best filters. Written and posted like a legit message, their only threat is a big red button with a label that says "do not push me". In truth, they are just a "click here for your overdue bill" and similar hooks for the gullible few.
There are two things I would like to do asap: automatically rewrite any html e-mail into plain text, and automatically rewrite any URI into something that does not trigger any external program (browser, ftp, you name it). This is the only loophole left in my systems, and see non alternative.