Any way to stop logging Sobig e-mail?

Vernon Schryver vjs@calcite.rhyolite.com
Wed Sep 3 18:11:46 UTC 2003


> To: Gary Mills <mills@cc.UManitoba.CA>
> From: Daniel V Klein <dvk@lonewolf.com>

> I've had the same log cutback issue - wish I had a solution other than that!
>
> -Dan
>
> > Lately, our DCC logs have been running a 2 gigabytes per day.  Most
> > of that seems to be Sobig e-mail.  One checksum occurs 871 times in
> > one hourly sample.  I've had to cut back on log retention to avoid
> > filling up the disk.
> > 
> > Is there any way to disable logging for Sobig e-mail?

I don't see how there could be.  It's not just that if detecting Sobig
were completely easy and reliable, then it wouldn't be a problem.
(For example see recent the long sad story in (I think) the RISKS
digest about the university that deleted Sobig mail messages).  It's
more that DCC clients aren't in that business.

If you do have a way to detect Sobig, then why not wrap it into a script
that deletes or moves asside the objectionable log files?
Why can't something elaborated from this do the job?

    find /var/dcc/log /var/dcc/userdirs -newer marker -name 'msg.*'  \
      xargs grep -l whatever | xargs -n 1  /bin/rm
    touch marker

(eg. some versions of xargs can be used to better effect with rm)


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.