Why is Google approaching my VPS machine?

Solution 1:

Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.

Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.

To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.

Solution 2:

Port 993 is for encrypted IMAP traffic.

Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.

As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)