Any way to stop logging Sobig e-mail?

Daniel V Klein
Wed Sep 3 19:15:02 UTC 2003

If I could independently detect Sobig, I'd do that.  But what we are saying
is that since we log spam with DCC, a lot of Sobig ends up in our log dirs,
taking up space.  There are a lot of different checksums (I assume), but
still plenty of bulky bits in all those copies...


> > To: Gary Mills <mills@cc.UManitoba.CA>
> > From: Daniel V Klein <>
> > I've had the same log cutback issue - wish I had a solution other than that
> !
> >
> > -Dan
> >
> > > Lately, our DCC logs have been running a 2 gigabytes per day.  Most
> > > of that seems to be Sobig e-mail.  One checksum occurs 871 times in
> > > one hourly sample.  I've had to cut back on log retention to avoid
> > > filling up the disk.
> > > 
> > > Is there any way to disable logging for Sobig e-mail?
> I don't see how there could be.  It's not just that if detecting Sobig
> were completely easy and reliable, then it wouldn't be a problem.
> (For example see recent the long sad story in (I think) the RISKS
> digest about the university that deleted Sobig mail messages).  It's
> more that DCC clients aren't in that business.
> If you do have a way to detect Sobig, then why not wrap it into a script
> that deletes or moves asside the objectionable log files?
> Why can't something elaborated from this do the job?
>     find /var/dcc/log /var/dcc/userdirs -newer marker -name 'msg.*'  \
>       xargs grep -l whatever | xargs -n 1  /bin/rm
>     touch marker
> (eg. some versions of xargs can be used to better effect with rm)
> Vernon Schryver
> _______________________________________________
> DCC mailing list

More information about the DCC mailing list

Contact by mail or use the form.