Seems like a lot of work with way too much room for false positives. Why aren't you running a content filter on executable attachments so they get bounced and you never see them? BTW -- Shouldn't that be hunnypot.net?