If the mail client is downloading a *.desktop file, warn the user. Yeah, the social Engineering virus propogators will find a way around it, say give the file in a wrong name and ask the user to rename it after download. There are medicines for that too.
The distributions installing the *.desktop files should create a unique signature and sign each of the *.desktop files it installs. Anything downloaded from the Internet will obviously not have those, even if you rename them. So the desktop environment should prompt the user if it finds a *.desktop file without the signature. And if the *.desktop was in the auto-start folder, heh! forget it getting executed.
And then there are people so naive they will even fall for "Follow these steps to copy the signature file and then double click on the file" social engineering trick. The enemy of humanity is humanity itself, and suddenly I feel the decision of Skynet was not so wrong after all! Oh God, Save the world from me!