white list practise is very good.
So basically you firewall all what is not allowed/unknown.
Another technology is to *require* people sending emails to you answer anti-spam question : such as picture recognition.
Those two technologies combines leaves zero chance for virus/spam get to you. Even if virus attacks friend's computers and he starts spamming, all emails gets blocked, until he manually answers picture-recognition questions.
Some Linuxoids go much more far than that, by implementing draconian measures; allowing ONLY plain text incoming email, all else is blocked. That is all images/flash/javascript/attachments or emails that include at least one component of those are blocked totally.
HTMLs looks as text, is not rendered, so it's impossible to use browser weakness/hole in rendering engine.