[Renaud]

I remember having to deal with the early GFW about 20 years ago when I was working for a company that had some employees on a site in Shanghai.

Every morning, our colleagues in China would open their mail client and it would connect to our server abroad.

The first person would usually be OK, but for everyone else, the connection would fail.

At the time, almost nothing was known of the GFW and it wasn't as clever as it is now. I found out that the POP connection was quickly blocked after a few minutes, probably triggering some slow firewall rules along the way (it seemed a bit random, so I assumed the firewall setup wasn't unified).

Moving to POPS/SMTPS seemed to improve things for a while, but the connection would still be randomly blocked.

What worked in the end was to use a bunch of random ports instead of the well known ones to accept POP/SMTP connections on the server, and we never had any issues after that, at least until we changed system a couple of years later.

[dizhn]

We have a satellite office in Dubai. I know their static IP. When they connect to our imap/smtp server they are coming in from another IP. I never looked into it deeply but assumed their connection is being diverted for inspection. (If true, they would probably not be below performing industrial espionage with the data they are accessing)

[f4c39012]

I've debugged connection issues with someone in China. The same person, using the same browser and at the same time, showed up in the logs of two cloud apps with different IP addresses. The applications were adjacent in the cloud, same network config and everything. We figured there was always redirection, and we were never seeing their "true" IP address.

A simpler test is to search "what is my IP" and compare the values returned by different services.

[aeyes]

The IP space in China is wild, multiple ISPs use the same IP ranges and some even use foreign IP space but they don't route them outside of China. I wouldn't be at all surprised seeing proxy setups at ISPs trying to "fix" some of this.

Even when we had physical machines in Chinese data centers it didn't mean that our service was reachable from all ISPs. In 2010 we gave up on that and just started using Akamai China CDN with our servers in Europe.

[proto_lambda]

At that level, there is no reason to proxy it through a different IP address. If you control the network, you can just make the packets come from the original, real address.

[H8crilA]

It was probably written by junior devs, like most other software around the world.

[slt2021]

GFW that can inspect petabytes of traffic per second for 1.4 bln population cannot be written by juniors

[dizhn]

It might be something government mandated where all ISPs direct mail traffic to a central location. (The largest ISP is the government by the way)

[occamrazor]

Is the IMAP/SMTP connection not encrypted?

[philjohn]

Doesn't matter if the government mandates MITM and forces install of root certs on all clients.

[dizhn]

Yes they are encrypted.

[EGreg]

Speaking of satellites, the ones in geosynchronous orbit, how can Chinese block those?

[ec109685]

“We will shoot your satellite if you don’t block access while over China”.

[EGreg]

In orbit? Good luck

Lasers maybe?

[ImPostingOnHN]

the US has done so with a missile so basic that it's named "standard missile 3"

most satellites will just be following an uninterrupted, predictable path for most of their time