
Why We Can Send to Gmail in China - longkai
https://xiaolongtongxue.com/articles/2016/why-we-can-send-to-gmail-in-china/
======
lolc
So port 25 in the GFW is open for outbound connections? My mailserver spam-log
tells me that much every other second.

I wonder what weight Spammers had in the decision to allow port 25. Though
when I think about it, spammers are probably a negligible faction compared to
the businesses that would shut down if they couldn't communicate with
international clients on Gmail anymore.

It would be interesting, as other commenters already remarked, to see what
STARTTLS does to the connection.

~~~
TorKlingberg
The GFW is mostly a blacklist. Unless your site (or your hosting) is on the
list, it will work fine from China. It also detects some keywords.

~~~
Iv
It is a dynamic blacklist. It also uses pattern matching and machine learning
to detect some undesired behaviors. It will not cut out SSH connections but
will recognize the traffic shape of HTTP traffic over it.

------
mandarg
Note that mail sent this way is "in the clear" and can be used for passive
monitoring.

I wonder if the Great Firewall allows clients to do opportunistic STARTTLS or
if it modifies the server response to indicate TLS as being unavailable.

~~~
girzel
I've noticed that the firewall really doesn't like TLS connections. It doesn't
block them outright, but it does slow the traffic, and periodically break the
connection. Basically they just try to interfere with it enough that you don't
bother.

I run mail servers (based in the US) for my company (based in China). My
employees don't understand why I make them use these email accounts that time
out every twenty minutes or so, or drop connections randomly. I've explained
why we do it this way, and they understand the security, but still don't
really get why I bother.

------
cantrevealname
> You cannot visit those well known global sites like Google, Twitter, etc.

Google's main search function has not been blocked for the past two years
according to Wikipedia:

[https://en.wikipedia.org/wiki/Websites_blocked_in_mainland_C...](https://en.wikipedia.org/wiki/Websites_blocked_in_mainland_China)

Erotica is bad, but torrents (isoHunt, etc.) are OK. The New York Times and
the Economist are blocked, but strangely, Amnesty International, the BBC, and
Wikileaks are permitted.

They probably have a big productivity boost by _not_ having Twitter, YouTube,
Facebook, and Instagram.

~~~
seanmcdirmid
Google Search has been blocked over the last two years, even through the CN
site that redirects to HK. Mobile is possibly an exception, but I never had an
Android phone so don't know.

~~~
thaumasiotes
Mobile wasn't an exception (I haven't been in China for a year, but I was
there for two years before that); my phone was cut off from all google
services.

Edit: I say cut off; that's not entirely true. I couldn't communicate with
google from my phone. I could visit Google Play in a web browser, tell it to
install something, and the install would hit my phone just fine.

------
Animats
I wonder what else the Great Firewall of China will pass. (Or what your local
ISP will pass.) There are lots of other protocols to try. TP4 (Windows 2000
supported that.) Xerox Network Architecture. QNX remote message protocol.
Those are non-TCP protocols, at the IP level. Almost nobody uses any of those,
but they're defined for IP.

At the TCP level, there are lots of ports other than port 80. What about FTP,
and SSH? TFTP? POP? NetBios? IMAP? NNSP? NNTPS? Blocked or ignored?

~~~
mikeash
They're getting pretty sophisticated. For example, SSH used to work just fine.
When I was there last year, SSH would work fine for standard terminal stuff,
but would die if I used it in SOCKS proxy mode. It was similar for a lot of
VPN protocols I tried. Often the connection would work, but then die as I
tried to use it. Typically I couldn't reconnect for a while after that. From
what I've read, they're doing traffic analysis and machine learning to try to
block things based on usage rather than simply protocol, port, or destination.

~~~
Retr0spectrum
You can get around the statistical analysis by randomly padding small packets:
[http://blog.zorinaq.com/my-experience-with-the-great-
firewal...](http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-
china/)

------
milankragujevic
Doesn't really explain __Why __can email be sent from China to Gmail, only
that it can. Is the GFW filtering only port 80?

~~~
schoen
I was expecting this to be "why" as a policy matter, but instead it's a
technical description (mostly about the fact that SMTP is different from HTTP,
for people who might not appreciate that).

I guess the idea may be that Chinese people are not supposed to _have_ or
_use_ Gmail accounts, but are allowed to communicate with other people who do.
(This isn't necessarily a super-bizarre distinction to imagine a government
making; the cost of not being allowed to exchange e-mail with anybody on Gmail
is really quite high.)

Edit: also, people have told me that there is a legal restriction in China on
the ability to listen on (some?) TCP ports or allow a hosting subscriber to do
so (!) -- you're supposed to have a government license to have a TCP listener
and your hosting provider or ISP can be punished for allowing you to operate
one if you don't have the license. That means that Chinese Internet users
couldn't easily set up their own personal mail servers free of government
oversight and surveillance. So they can write to Gmail users all they like,
but it may be trickier to receive a reply except via a government-approved
mailserver.

~~~
gcr
Let's write a webpage-to-gmail proxy! Send an email with a subject like
[http://news.ycombinator.com/](http://news.ycombinator.com/) to a special
email address and it will reply with the text of that page in the body of the
email.

~~~
wildfire
There are a whole bunch already!

[http://www.faqs.org/faqs/internet-services/access-via-
email/](http://www.faqs.org/faqs/internet-services/access-via-email/)

Probably worth some karma to update this 14 year old document too.

------
rasz_pl
Ian from dangerousprototypes (Bus Pirate) wrote about his troubles with
getting an email account in china that actually works:

[http://dangerousprototypes.com/blog/2016/06/21/china-
stuff-e...](http://dangerousprototypes.com/blog/2016/06/21/china-stuff-email-
that-works/)

~~~
swiley
That seems more like a complaint about just unicom. It looks like China has a
problem similar to the US when it comes to ISP monopolies, except that theirs
are state owned and there was no period of free market competition where
people could realize how good it can be.

------
ruffrey
You can get through the firewall, but that does not mean your traffic isn't
monitored.

~~~
mikeash
And potentially blocked adaptively. I haven't tried it recently, but it used
to be fun to hit up a search engine while in China, search for "tiananmen
square," and watch as the search site suddenly went "down" for about ten
minutes.

~~~
schoen
Which is odd since Tiananmen Square is one of the main tourist attractions in
Beijing. Did the government conclude that all English speakers are using it as
metonymy for 6/4 or that there's too great a chance that English-language
materials about the place will discuss it?

~~~
mikeash
I imagine it's some of both. If I do a Google search for it, the top result
and about half of the first page are about the protests, and the famous "tank
man" image, which is no good at all from their point of view.

------
wodenokoto
I have never even thought about how weird it is that you can communicate with
gmail via mail, while hardly ever actually access the service.

I wonder what other blocked services it is possible to communicate with.

Can you update you twitter account via e-mail from China?

------
omarforgotpwd
Someone should write a web server that looks like it implements SMTP, but can
be coaxed into handling HTTP connections over port 25 as well.

~~~
perfmode
I don't think that'll thwart deep-packet inspection.

------
yegle
EDIT: format

The post only tells part of the story. There are at least two places that GFW
can (and does!) block email traffic as long as the traffic goes through GFW:

1\. By DNS poisoning your domain name. There's nothing special, when GFW
decide to DNS poisoning your domain, all query types will be poisoned,
including your MX record.

2\. By TCP reset your SMTP connection to MTA (or forge reply from the other
end) if the sender or recipient is something special.

For #1, this is happening to my domain name yegle.net. This could be
demonstrated via a DNS query sent from outside of China to __any __servers
(even it 's not a DNS server) in China (see examples in the end of this
comment).

For #2, this is happening to my gmail account. Try connect to an MTA in China
from outside of China, as soon as you type "MAIL FROM: MY_EMAIL_ADDRESS",
you'll get a TCP reset. (see examples in the end of this comment). If you are
sending email from China to my email address, you'll get a forged reply saying
the email address doesn't exist (again see example in the end of this
comment).

In order to make sure you can send/receive email from/to China, you need to
make sure the sender and receiver's email service support
[StartTLS]([https://en.wikipedia.org/wiki/Opportunistic_TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)).

    
    
        // TEST FROM OUTSIDE OF CHINA
        $ dig MX yegle.net @54.222.60.218
    
        ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @54.222.60.218
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9506
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
        ;; QUESTION SECTION:
        ;yegle.net.                     IN      MX
    
        ;; ANSWER SECTION:
        yegle.net.              2654    IN      A       8.7.198.45
    
        ;; Query time: 176 msec
        ;; SERVER: 54.222.60.218#53(54.222.60.218)
        ;; WHEN: Mon Sep 19 13:13:17 PDT 2016
        ;; MSG SIZE  rcvd: 43
    
        // TEST FROM OUTSIDE OF CHINA
        $ dig MX yegle.net @8.8.8.8
    
        ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @8.8.8.8
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17621
        ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
    
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 512
        ;; QUESTION SECTION:
        ;yegle.net.                     IN      MX
    
        ;; ANSWER SECTION:
        yegle.net.              299     IN      MX      10 aspmx.l.google.com.
        yegle.net.              299     IN      MX      20 alt1.aspmx.l.google.com.
        yegle.net.              299     IN      MX      30 alt2.aspmx.l.google.com.
        yegle.net.              299     IN      MX      40 aspmx2.googlemail.com.
        yegle.net.              299     IN      MX      50 aspmx3.googlemail.com.
    
        ;; Query time: 24 msec
        ;; SERVER: 8.8.8.8#53(8.8.8.8)
        ;; WHEN: Mon Sep 19 13:13:27 PDT 2016
        ;; MSG SIZE  rcvd: 171
    
    
        // TEST FROM OUTSIDE OF CHINA
        $ telnet mail.kingsoft.com 25
        Trying 219.141.176.248...
        Connected to telecom.mail.kingsoft.com.
        Escape character is '^]'.
        220 mail.kingsoft.com ESMTP
        EHLO gmail.com
        250-mail.kingsoft.com
        250-8BITMIME
        250 SIZE 52428800
        MAIL FROM: cnyegle-AT-gmail-com
        Connection closed by foreign host.
    
        // TEST FROM INSIDE OF CHINA
        $ telnet aspmx.l.google.com 25
        Trying 209.85.225.27...
        Connected to aspmx.l.google.com.
        Escape character is '^]'.
        220 mx.google.com ESMTP u6si11379881igw.58
        EHLO yegle.net
        250-mx.google.com at your service, [183.151.34.162]
        250-SIZE 35882577
        250-8BITMIME
        250-STARTTLS
        250 ENHANCEDSTATUSCODES
        MAIL FROM:<mail@example.com>
        250 2.1.0 OK u6si11379881igw.58
        RCPT TO:<cnyegle-AT-gmail-com>
        551 User not local; please try <forward-path>
        Connection closed by foreign host.

------
sumitgt
This if off-topic, but what is the preferred tool for making flowcharts in
ASCII like the ones used in the post?

~~~
jacobolus
[https://monodraw.helftone.com](https://monodraw.helftone.com) ?

------
dmitrygr
Time for an HTTPS-over-SMTP RFC? :)

~~~
estebank
We could use RMS' system[1][2]. :)

[1]: [https://stallman.org/stallman-
computing.html](https://stallman.org/stallman-computing.html) [2]:
git://git.gnu.org/womb/hacks.git

