42 comments

[ 2.8 ms ] story [ 110 ms ] thread
Doesn't really explain Why can email be sent from China to Gmail, only that it can. Is the GFW filtering only port 80?
I was expecting this to be "why" as a policy matter, but instead it's a technical description (mostly about the fact that SMTP is different from HTTP, for people who might not appreciate that).

I guess the idea may be that Chinese people are not supposed to have or use Gmail accounts, but are allowed to communicate with other people who do. (This isn't necessarily a super-bizarre distinction to imagine a government making; the cost of not being allowed to exchange e-mail with anybody on Gmail is really quite high.)

Edit: also, people have told me that there is a legal restriction in China on the ability to listen on (some?) TCP ports or allow a hosting subscriber to do so (!) -- you're supposed to have a government license to have a TCP listener and your hosting provider or ISP can be punished for allowing you to operate one if you don't have the license. That means that Chinese Internet users couldn't easily set up their own personal mail servers free of government oversight and surveillance. So they can write to Gmail users all they like, but it may be trickier to receive a reply except via a government-approved mailserver.

Agreed, it is a technical explanation to political decisions.

The Chinese government wants to be able to access the communications of their people. They can do that as long as their email providers are cooperative. There is no need to disrupt communications to ensure this is the case, they simply need to keep Chinese citizens from using uncooperative providers.

Let's write a webpage-to-gmail proxy! Send an email with a subject like http://news.ycombinator.com/ to a special email address and it will reply with the text of that page in the body of the email.
oh man, I remember browsing FTP servers over email back in the early 1990s, when I had email access but not FTP access. It was incredibly slow and typos were to be avoided at all costs! https://en.wikipedia.org/wiki/FTPmail
no they filter many different ports and do deep packet inspection on anything that is not encrypted and will block if contains certain content. There is a set list of banned words that will get content blocked instantly. VPN traffic is usually blocked once it is identified as being unlicensed vpn, you need a license to run a vpn server. So these vpn companies will rotate their ips multiple times per month and have special clients that keep the list updated just to avoid the GFW
It's a really long and uninteresting post for the tl;dr "port 25 is not being blocked by the firewall".

Although he should've tried using some bad keywords, but that seems to be beyond his level of research.

Note that mail sent this way is "in the clear" and can be used for passive monitoring.

I wonder if the Great Firewall allows clients to do opportunistic STARTTLS or if it modifies the server response to indicate TLS as being unavailable.

I've noticed that the firewall really doesn't like TLS connections. It doesn't block them outright, but it does slow the traffic, and periodically break the connection. Basically they just try to interfere with it enough that you don't bother.

I run mail servers (based in the US) for my company (based in China). My employees don't understand why I make them use these email accounts that time out every twenty minutes or so, or drop connections randomly. I've explained why we do it this way, and they understand the security, but still don't really get why I bother.

I have never even thought about how weird it is that you can communicate with gmail via mail, while hardly ever actually access the service.

I wonder what other blocked services it is possible to communicate with.

Can you update you twitter account via e-mail from China?

So port 25 in the GFW is open for outbound connections? My mailserver spam-log tells me that much every other second.

I wonder what weight Spammers had in the decision to allow port 25. Though when I think about it, spammers are probably a negligible faction compared to the businesses that would shut down if they couldn't communicate with international clients on Gmail anymore.

It would be interesting, as other commenters already remarked, to see what STARTTLS does to the connection.

The GFW is mostly a blacklist. Unless your site (or your hosting) is on the list, it will work fine from China. It also detects some keywords.
It is a dynamic blacklist. It also uses pattern matching and machine learning to detect some undesired behaviors. It will not cut out SSH connections but will recognize the traffic shape of HTTP traffic over it.
I wonder what else the Great Firewall of China will pass. (Or what your local ISP will pass.) There are lots of other protocols to try. TP4 (Windows 2000 supported that.) Xerox Network Architecture. QNX remote message protocol. Those are non-TCP protocols, at the IP level. Almost nobody uses any of those, but they're defined for IP.

At the TCP level, there are lots of ports other than port 80. What about FTP, and SSH? TFTP? POP? NetBios? IMAP? NNSP? NNTPS? Blocked or ignored?

They're getting pretty sophisticated. For example, SSH used to work just fine. When I was there last year, SSH would work fine for standard terminal stuff, but would die if I used it in SOCKS proxy mode. It was similar for a lot of VPN protocols I tried. Often the connection would work, but then die as I tried to use it. Typically I couldn't reconnect for a while after that. From what I've read, they're doing traffic analysis and machine learning to try to block things based on usage rather than simply protocol, port, or destination.
> You cannot visit those well known global sites like Google, Twitter, etc.

Google's main search function has not been blocked for the past two years according to Wikipedia:

https://en.wikipedia.org/wiki/Websites_blocked_in_mainland_C...

Erotica is bad, but torrents (isoHunt, etc.) are OK. The New York Times and the Economist are blocked, but strangely, Amnesty International, the BBC, and Wikileaks are permitted.

They probably have a big productivity boost by not having Twitter, YouTube, Facebook, and Instagram.

(comment deleted)
I know it was probably just a joke, but they have local equivalents for Twitter and the rest, so productivity is no doubt just as bad.

This is one of the interesting aspects of the system. It started out as just a tool for censorship, but it's becoming a tool for protecting local businesses from outside competition as well.

Google Search has been blocked over the last two years, even through the CN site that redirects to HK. Mobile is possibly an exception, but I never had an Android phone so don't know.
I was in China not a month ago. Google Search definitely did not work on Android without a properly setup VPN + custom DNS.
Mobile wasn't an exception (I haven't been in China for a year, but I was there for two years before that); my phone was cut off from all google services.

Edit: I say cut off; that's not entirely true. I couldn't communicate with google from my phone. I could visit Google Play in a web browser, tell it to install something, and the install would hit my phone just fine.

Google search, Drive, Sheets, Docs, Gmail (normal web/app) are all blocked; with ZPN proxy on Android (but not on desktop for some strange reason) Search, gmail and drive work, but sheets/docs are broken for me still. I'm in Shanghai.
Google search is definitely blocked. (Source: I'm in China.) The "unblocked" there seems to be a typo since the "duration of blockage" column says "to present", which is correct.

Regarding social media, of course, the local social media are popular enough that practically nobody would use the American ones even if they were all unblocked tomorrow.

The fascinating part is it varies geographically within China too, so for instance Github is not blocked on the coast (at least in Shenzhen) but is definitely blocked out in Xinjiang.
The mistake you're making is that the Chinese government has chosen one standard and applied it consistently throughout the web. I imagine they've applied it like a game of wack-a-mole: if a group embarrasses them, they block it. Otherwise you can continue rockin' in China. There is a national law against pornography, so that's not surprising.

I imagine that isoHunt and the BBC and Wikileaks just haven't caused China enough trouble yet.

Ian from dangerousprototypes (Bus Pirate) wrote about his troubles with getting an email account in china that actually works:

http://dangerousprototypes.com/blog/2016/06/21/china-stuff-e...

That seems more like a complaint about just unicom. It looks like China has a problem similar to the US when it comes to ISP monopolies, except that theirs are state owned and there was no period of free market competition where people could realize how good it can be.
You can get through the firewall, but that does not mean your traffic isn't monitored.
And potentially blocked adaptively. I haven't tried it recently, but it used to be fun to hit up a search engine while in China, search for "tiananmen square," and watch as the search site suddenly went "down" for about ten minutes.
Which is odd since Tiananmen Square is one of the main tourist attractions in Beijing. Did the government conclude that all English speakers are using it as metonymy for 6/4 or that there's too great a chance that English-language materials about the place will discuss it?
I imagine it's some of both. If I do a Google search for it, the top result and about half of the first page are about the protests, and the famous "tank man" image, which is no good at all from their point of view.
Someone should write a web server that looks like it implements SMTP, but can be coaxed into handling HTTP connections over port 25 as well.
I don't think that'll thwart deep-packet inspection.
EDIT: format

The post only tells part of the story. There are at least two places that GFW can (and does!) block email traffic as long as the traffic goes through GFW:

1. By DNS poisoning your domain name. There's nothing special, when GFW decide to DNS poisoning your domain, all query types will be poisoned, including your MX record.

2. By TCP reset your SMTP connection to MTA (or forge reply from the other end) if the sender or recipient is something special.

For #1, this is happening to my domain name yegle.net. This could be demonstrated via a DNS query sent from outside of China to any servers (even it's not a DNS server) in China (see examples in the end of this comment).

For #2, this is happening to my gmail account. Try connect to an MTA in China from outside of China, as soon as you type "MAIL FROM: MY_EMAIL_ADDRESS", you'll get a TCP reset. (see examples in the end of this comment). If you are sending email from China to my email address, you'll get a forged reply saying the email address doesn't exist (again see example in the end of this comment).

In order to make sure you can send/receive email from/to China, you need to make sure the sender and receiver's email service support [StartTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS).

    // TEST FROM OUTSIDE OF CHINA
    $ dig MX yegle.net @54.222.60.218

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @54.222.60.218
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9506
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;yegle.net.                     IN      MX

    ;; ANSWER SECTION:
    yegle.net.              2654    IN      A       8.7.198.45

    ;; Query time: 176 msec
    ;; SERVER: 54.222.60.218#53(54.222.60.218)
    ;; WHEN: Mon Sep 19 13:13:17 PDT 2016
    ;; MSG SIZE  rcvd: 43

    // TEST FROM OUTSIDE OF CHINA
    $ dig MX yegle.net @8.8.8.8

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17621
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;yegle.net.                     IN      MX

    ;; ANSWER SECTION:
    yegle.net.              299     IN      MX      10 aspmx.l.google.com.
    yegle.net.              299     IN      MX      20 alt1.aspmx.l.google.com.
    yegle.net.              299     IN      MX      30 alt2.aspmx.l.google.com.
    yegle.net.              299     IN      MX      40 aspmx2.googlemail.com.
    yegle.net.              299     IN      MX      50 aspmx3.googlemail.com.

    ;; Query time: 24 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Mon Sep 19 13:13:27 PDT 2016
    ;; MSG SIZE  rcvd: 171


    // TEST FROM OUTSIDE OF CHINA
    $ telnet mail.kingsoft.com 25
    Trying 219.141.176.248...
    Connected to telecom.mail.kingsoft.com.
    Escape character is '^]'.
    220 mail.kingsoft.com ESMTP
    EHLO gmail.com
    250-mail.kingsoft.com
    250-8BITMIME
    250 SIZE 52428800
    MAIL FROM: cnyegle-AT-gmail-com
    Connection closed by foreign host.

    // TEST FROM INSIDE OF CHINA
    $ telnet aspmx.l.google.com 25
    Trying 209.85.225.27...
    Connected to aspmx.l.google.com.
    Escape character is '^]'.
    220 mx.google.com ESMTP u6si11379881igw.58
    EHLO yegle.net
    250-mx.google.com at your service, [183.151.34.162]
    250-SIZE 35882577
    250-8BITMIME
    250-STARTTLS
    250 ENHANCEDSTATUSCODES
    MAIL FROM:<mail@example.com>
    250 2.1.0 OK u6si11379881igw.58
    RCPT TO:<cnyegle-AT-gmail-com&g...