After years of putting up with Rick and his digital photo editing services crap I think I have finally figured out a way to block these messages.
Here’s the deal. You run a mail server, and you get spam every single day from Rick offering digital photo editing services. You put “We are a china based imaging professionals” into your spam blocker/body_checks and THE MESSAGES KEEP COMING. You can’t figure out why they are still coming. Your rules are working. You forward yourself one of Rick’s messages and it is blocked. Yet they keep coming from China.
The answer is in the mail log:
Jan 19 19:23:37 dallas postfix/cleanup: 774CC582A5: info: header Subject: =?GB2312?B?RGlnaXRhbCBQaG90byBFZGl0aW5nIFNlcg==?=??=?GB2312?B?dmljZXM
gLSBQaG90byBDdXRvdXQgLSBQaA==?=??=?GB2312?B?b3RvIFJldG91Y2hpbmc=?= from h184-60-84-203.nwblwi.dedicated.static.tds.net[126.96.36.199]; from=XXXX to=XXXX
I have Postfix report message subject lines in the log because it makes troubleshooting mail problems easier. Look at the Subject: header of this message. It begins with “=?GB2313?B?…” if you take that whole string and put it into Google you get no hits. But if you truncate to just the part I quoted above, you get some very interesting results. GB2312 is the character encoding for Chinese simplified. So Rick figured out that if he encodes his emails using that character encoding but such that the decoded email appears in US English ASCII characters (A-Z|a-z|0-9) then we’ll all get to read about his photo editing services in a language we understand.
Solutions vary – blocking this encoding string in the headers is what I’ll be doing (along with some other encoding strings). There are other articles on this topic once you know what to search for, with various strategies depending on your needs and your email system.
In my case I’m just adding this line to my header_checks:
/^Subject: .*?GB2312?B?.*/ REJECT # No chinese encoding please.
Edit: One thing to note. I had a rule set up in Postfix that printed the email subject line in the logs (it’s my mail server, I can do what I want):
This line appeared first in my header_checks file, but since only one rule can fire per email header line, after I added this to the top of my header_checks, Rick’s email started getting through again. Sure enough, testing one of his headers with:
postmap -q 'Subject: =?GB2312?B?' regexp:/etc/postfix/header_checks
because only the rule that writes the subject to the log was being run. So I moved that rule to the bottom of header_checks. Now the messages with Chinese encoding are blocked (REJECT) and if any mail does get through, the subject line is written to the logs.
3 replies on “We are a China based imaging professionals / Rick photo editing spam!”
Great job figuring this out. We came across your article at the office while joking around about this same situation. The big question that we had though, was WHY!? Why does this guy/company/bot bother doing this?
I am a USA based not sure why person. 🙂 My life is actually better now, though! Thanks for the note; I’m glad it helped someone.
Oh thank you! I get emails from Rick nearly every day and I´m so completely fed up…. Just added it to my postfix config.