Iptables has some (rudimentary?) form of filtering, but Im not familiar with that, maybe someone else can come up with the gory details :-]
Snort, an IDS package ,allows you to filter for strings like this CodeRed entry shows:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "CodeRed/Index Server - Generic"; content:".ida?";)
but this ain't what you're looking for.
The keyword is email since that is the only infection vector (transport layer) I know of; you'll need to look into mail filtering.
If you're mailhost is running a Linux MTA like sendmail you could either add rules to the /etc/sendmail.cf (or use libmilter, inflex, possibly ripmime or any other filters). An example of what sendmail can filter is
here (Melissa). Possibly cert.org, sans.org and/or securityfocus.com already have prefab rules out for filtering.
If OTOH its running the very leet Microsuck Xchange S3rv3r, there's another good reason to convert to Linux :-]