Gmail security breach, want some proof?


Just 2 days ago CC sent me a link to a Chinese blog post about how he noticed his personal emails from Gmail account was accessed and screened by GFW. I was skeptical and thought it could just be a hoax or hype or just a theory. And today, the news broke out. Google officially announced that they will no longer provide censored searches for because they faced cyber attacks originated from China which targeted Gmail accounts of Chinese human rights activists! This could mean end of the road for Google in China.

As part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

My jaw dropped as I read the statement from Google. This is exactly what the blog I read 2 days ago tries to prove.

GFW screens personal emails
Jan 10, 2010
by wzyboy

I setup my Gmail to automatically forward all the emails to my 139 email box, this way I can use my cell phone to receive my Gmail’s new email notice. It was this way for long time, and I never had any problems. Couple of days ago I suddenly noticed that I got many same short email notices. I thought it was very strange so I signed into my 139 email account. I saw that these emails repeatedly appeared over 20 times, these 20 emails have the same content, and the sent time was exactly the same also, the only difference is the receiving time. Then I thought of someone used to experiment with sending emails between Gmail and QQ, and this is my analysis.

Gmail is a responsible email service, it will do its best to ensure your email get to the receiving mailbox. If the first time receiving mailbox fails to receive the message, it will send you a warning, telling you that your email was delayed. After a while it will retry, when the many retries fail, then it will send back an email to the sender that his email failed. After I setup up the email forwarding in my Google account, all emails except the emails sent to the Groups will always be forwarded to 139, my emails were reviewed and screening in during this forward process.

If before I didn’t have enough evidence, then I now have these evidences.

This is my signature for the Charter 08, which was blocked.

[Charter 08 (零八宪章Língbā Xiànzhāng) is a manifesto signed by over 303 Chinese intellectuals and human rights activists to promote political reform and democratization in the People’s Republic of China.]


After trying to send many times, Gmail finally gave up sending and determined sending failure. But in fact, those emails were all blocked by the screening system and were being screened. And they were eventually sent to the 139 mail box, that’s why in my 139 mail box I had 20 same emails.


So is the screening system only screens the email which contains particular email address? (for example ) No, it’s not like that. I checked, as long as the emails contains sensitive words, they will be reviewed, please see:

This is a personal email I wrote to my classmate. This classmate just registered twitter, so I recommended him some well-known twitter friends:

Message-ID: <>
Subject: =?GB2312?B?UmU6IL/JxcK1xEdyYXZpdHk=?=
From: Zhuo Wang
To: wzyboy
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: base64


On 1/1/10, wzyboy wrote:
@guao 半人半机器人。播报谷奥博客上的新消息以及关于Google的新闻
@rtmeme 机器人,偶尔具有人的意识。会自动统计中文推特用户锐推最多的推。如果被它锐推了你的推,说明你的那条推很精彩。我被推过一次。这是一种荣誉啊。
@CMCCSH 和 @CUGSM 这是中国移动和中国联通的两个非官方帐号,人类。两人是相应公司的员工,热情。两人有时会针尖对麦芒。
@xream 无锡人。原天一中学少年班。目前就读于西安交通大学,你可以在他的lists里找到更多的无锡人。
@helloell 气质美女。目前就读于Swansea, the UK的某大学。
@onlyswan 推特红人,人气极旺。加拿大籍华人,目前就读于上海某大学,本科。人妻。尺度开放而不放荡,好色。兔子说不建议你Fo她,防止你被带坏。
@newsinchina 无私奉献的推特教牧师,热情,精力充沛。
@lianyue 推特中文圈里Foer最多的人,对事件有独特见解。
@aiww 艾未未。著名维权人士,持不同政见者。
@ranyunfei 冉云飞。同上。
@fzhenghu 冯正虎。维权人士。详情可点击他的Link查看,是一个字很多、图片很多的Docs文档。


(In the email: Twitter name and names of Chinese human rights activists)

If just mentioned certain sensitive names in our email resulted this email’s ending failure.

Other than this, I looked through some of other delayed emails, these email were mostly between my classmate and me. I compiled a list:

我眼中的2009年中国10大网事 | In my eyes, 10 major incidents on Chinese internet in 2009

中国网络封锁和监控简史| A Brief History of China’s Internet blocking and monitoring

Google Alert – Ubuntu 9.10

[微软快速成长型企业资讯快报] – 快来免费索取限量 Office 2010 试用光盘!| Microsoft’s fast-growing enterprise IT Express] – Come obtained free of charge a limited Office 2010 Trial CD-ROM!

十二棵橡樹: 关于Google的hosts以及如何使用IPv6 | about google’s hosts and how to use IPV6

自由门怎么用在Chrome上?| Freedom gate, how to use it on Chrome?

可怕的Gravity | scary Gravity

[快速成长型企业快报特惠专刊] – 新年新希望,Office 2010 抢先送惊喜!| [Fast-growing enterprises express an ex-gratia special issue] – New Year, new hope, Office 2010 first to get pleasantly surprised!

Springboard Series Insider: Volume 2, No. 1

零八宪章签名 | Charter 08 signatures

From these titles you can see, not only emails containing political keywords, but some emails only scratches the GFW issue will also be reviewed. For example the first one “In my eyes, 10 major incidents on Chinese internet in 2009” , I sent this to my email from Google reader. This article was posted by @jason5ng32 (well-known blogger) on, this article mentioned some things authorities did not want to see, the original article was already deleted.

GFW is really developed to the point of screening personal emails. If you and your friends use any email accounts in China, the emails will be screened. Your emails will all be read. Someone reported this on, but the article was deleted. Now I experienced this myself, and post it on Blogspot, so it will not be deleted.

So I am reminding everyone, don’t think using Gmail is safe, I believe many of Gmail users all setup emails to be forwarded to 139, be sure to remember that 139 is a email service in China!

Twitter: @wzyboy
GV: 1(734)931-0***

  1. So… those two twits in California finally realized that the powers to be in Beijing are playing hardball only after “someone” tries to hack into their precious information servers, instead of privately ponying up the cash for it? Thanks for playing the kowtow game, sorry but you can never scrape and grovel low enough – because you are “laowais” to begin with.

  2. Non-technical people should be banned from speculating on technical issues.

    Yes… most likely email traffic is being scanned, likely using the same technology to filter HTTP traffic. I always assumed they’d scan any IP traffic for text matching certain phrases.

    This has absolutely NOTHING, ZIPPO, ZERO to do with gmail supposedly being “attacked”. I’ve read the original GhostNet research in full, and think the conclusions they generate is pretty ridiculous and outlandish. For Google to have gone public to this degree, they better have more compelling evidence than what GhostNet originally published.

    1. I know this is not the same attack to google corperate network, as mentioned in the google blog:

      As part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

      this is an example of what they discovered as part of this investigation.

      1. I have no idea what you’re claiming here. *What* is an example of what they discovered as part of this investigation?

        Emails are transmitted using a protocol called SMTP. The Google server, when it has an email to send, will connect to 139’s server via TCP according to its MX value in its DNS configuration. It then uses a very simple set of commands to describe the recipient, sender, subject, message, and done.

        TCP/IP packets are always routed through multiple servers before they reach their destination. When you read this message, the bytes consisting the page has traveled to your computer through 5-10 servers.

        The “Great Firewall” consists of servers on the edge of the Chinese TCP/IP network. All IP packets going to China are routed through these servers before arriving at the destination. It’s trivial to monitor all of these packets for clear-text words that are “suspicious”. If these words are detected, the packets are just swallowed and not passed on.

        This has NOTHING, absolutely NOTHING to do with Google’s allegations of hacking. In fact, the more I read the substance of what has been claimed by Google and others, I think the “hacking” in question is basically a login-log. They’re finding indications that there are unauthorized logins into these gmail accounts from China. That’s it. Someone has this account’s password, and that someone is apparently in China.

  3. Hysteria is correct, this is not an example of the Gmail account hacking that the Google blog post is referring to. All wzyboy is saying is that some of his emails containing particular keywords were prevented from being delivered. In all likelihood, the process is almost entirely automated. Since email travels unencrypted over cables monitored by the Chinese government, there is no way to prevent this from happening unless you encrypt your email, which the author evidently does not do. None of this is news.

    So I have to reiterate what Hysteria said, namely that non-technical people should not speculate about subjects they do not understand. I also note that this post has been uncritically linked by other blogs.

    Again, the translated post does not have anything to do with what Google has just revealed.

    PROTIP: if you are a dissident, ENCRYPT YOUR EMAILS.

  4. I’ve read the email about “recommended him some well-known twitter friends.” I speculate that, that email is blocked because of some words in the content are usually used in porny texts, though the email sender actually was not promoting pornography.

    More technical comment:
    The emails may be blocked by the same system that blocks HTTP( web page ) contents. It may not be designed particularly for web pages OR email, but ALL Internet traffic(that means any protocol, any software, any system, common encoding, non-encrypted) that passes through the gateway connecting China and the outside world.

    I’m hoping that Google should issue free S/MIME Certificate to ALL email users, not just Gmail users, and encourage+teach them to send signed/encrypted emails.

    ( is issuing free certificate to email users, but it has little reputation comparing to Google )

    S/MIME is just a name for the email version of HTTPS which used by online banks, ebay, and other websites that require a “secure connection”—- the “secure” means the one who occupies the international gateways CAN NOT filter/read content transmitted through that connection.

    All main stream email client software have this S/MIME capability.
    The problem is, you can’t use it on using a browser, but have to give up all the convenience of “web application” and use an old fashioned software instead to connect to gmail.

  5. Encrypt ALL of your e-mails and send many encrypted e-mails. Change your key and encryption algorithm frequently. They won’t know which e-mail to decrypt. Include photos (of nothing important) and music in each e-mail. This will snarl up their computers in the decryption process. Also it will require more manpower to figure out exactly what has been sent. Imagine someone spending hours just to discover that you just sent the latest pop hit song! If everyone did this, the GFW will collapse.
    If the censors discover that you are only sending the latest hit songs they may just leave you alone. You can send audio messages disguised as the latest hit song.

  6. I agree that it is not hacking… hacking is in fact a log of user id and password…. I am so much interested in technology it is an amazing exp by hysteria..

  7. Been longing to visit Rome. I’m hoping to see alot of the sights such as Colosseum and alot more. Going there in april 2011. What would you look at first ?

  8. It’s good to know your stand towards this comment thing going on. I’ve visited some design sites before that I find have repetitive comments from visitors, might be one of those you were pertaining to.

  9. Hi! I think most of the hacking being done is not the actual hacking but infact Social Engineering or Phishing. People fall prey and end up loosing their username/passwords. This can not be termed as hacking. The only way is to educate people to be able to guard themselves against Social Engineering but when people are still using IE6, its a bit difficult to get this going.

  10. Pingback: - Megan Knight
Leave a Reply

Your email address will not be published. Required fields are marked *

Prove you are human! * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like
Read More

Tianjin Soccer Team Chasing and Beating Referee

[pro-player width=’400′ height=’300′ type=’video’ image=’’][/pro-player] [NetEase] July 26 China National Men’s Soccer group A third round match between…