Small zip files are malware! Large zip files are legit!
I would love to give a high spamscore or stop zip-files below a certain size. Large zip-files are usually legit. Zip files with a size below 100k is 99.9% certainly some new malware – many of whom escape signature scanning and may pose a threat.
If attachment LIKE (zip|rar) AND size <100k then (delete|spam|quarantine)