Just this week I received a file that said it came from Mrs. Swordmaker... but she doesn't send email to me... we share the same Mac network and if she wants to send me something she just drops it in my Drop Box. Attached to it was an executable file that contained a Windows Spyware installer masquerading as something else... I don't recall what it was. It obviously came from one of those Windows computersthat many on here claim are easy to harden and secure, that had my wife's and my email addresses in the address book, but had somehow gotten hijacked and turned into a zombie. If this email were a little better constructed so as to appear similar to emails Mrs. Swordmaker might send to her friend and it was sent to someone who expects to get such an email from her... why wouldn't they "trust" the attachment?
A spam filter will not filter your friends... the people you have emailed. It CAN filter known, recognizable malware contained in attachments... but that is why the crackers are always trying to come up with something new.
OS X updates using the menu selection are safe... because there are built in checks to assure that the file is coming from Apple. A couple of years ago a proof of concept SPOOF update site was demonstrated... and Apple added the encrypted checks to the Software Update app and to their web site to ensure this could not happen. Microsoft also had the same problem a couple of years ago and actually had to shut down their update website for about a week to fix the vulnerability. DO NOT download OS updates off of non-official sites. There are no guarantees that what you are downloading is sanctioned by the publishers. Use the downloads from official sites only.