By Franklin Foer November 2nd, 2016
On Monday, I published a reported piece that raised questions about a server owned by the Trump Organization. The server appeared to be unusually configured, and to communicate almost exclusively with two servers registered to Alfa Bank in Moscow. The piece followed a group of computer scientists who had stumbled upon the Trump server in July, and it told the story of how they deployed their expertise to make sense of their discovery.
The story required voyaging deep into the arcana of the internet. The key piece of evidence for the server’s strange behavior was a set of logs of Domain Name Server, or DNS, look-ups. These are the communications between servers that enable an email to reach its destination. The computer scientists had no actual examples of email exchanged between Trump and Alfa—only inferences about that prospect, based on their close reading of the logs. I spoke with many DNS experts. They found the evidence strongly suggestive of a relationship between the Trump Organization and the bank but not conclusive. It was a subject that I believed deserved public airing and further exploration.
Publication of my article was quickly followed by responses from the Trump campaign and Alfa Bank, both of which offered more detailed accounts of the server activity than they had provided when I’d asked them for comment. My piece also elicited a series of valuable objections and credible alternate theories from technology reporters and other computer scientists. I take these seriously and believe they also deserve public airing and exploration. Several of the critiques of the hypothesis offered by the experts in my piece offer simpler, more benign explanations for the server activity. I’ll describe them here.
1) Does Trump control the server in question?
In a detailed post critiquing my piece, cybersecurity expert Rob Graham wrote, “The evidence available on the Internet is that Trump neither (directly) controls the domain trump-email.com, nor has access to the server.” This echoes the point raised by Vox, the Intercept, and others that the server was not operated by the Trump Organization directly. Rather, it was run and managed by Cendyn, a vendor that organizes email marketing campaigns for hotels and resorts. This suggests that most of the emails that emanated from this address were mass emails, related to loyalty programs, discount offers, and the like. At first, Trump spokeswoman Hope Hicks told me the server “has not been used since 2010.” She continued, “To be clear, The Trump Organization is not sending or receiving any communications from this email server.” The Intercept has since turned up at least two examples of a Trump email, promoting hotels, being sent from that server in 2015 and 2016.
Critics were right to focus on the relationship with Cendyn as a weak point in the theory. None of the computer scientists in my original story has an evidence-based explanation for why anyone at the Trump Organization would have used this server for the purposes of communicating with Alfa. The contention was that Cendyn is an organization trusted by the Trump Organization to host email. But clearly there would be easier ways to go about maintaining a quiet channel of communications than to work through a server operated by a vendor.
One of the intriguing facts in my original piece was that the Trump server was shut down on Sept. 23, two days after the New York Times made inquiries to Alfa Bank (and a week before the Times reached out to Trump). Was Cendyn acting on Trump’s behalf when it shut down mail1.trump-email.com? I can’t say for sure. (Cendyn didn’t reply to my request for comment.) This may all be pure coincidence. Perhaps Cendyn shut down the server for bureaucratic reasons, such as Trump’s failure to renew it, or perhaps Cendyn shut down the domain for very good technical reasons. “They may have shut it down to do a forensic analysis. Or they may have thought, in response to the inquiry, that the server was infected. It may actually have been infected,” Cornell University’s Emin Gun Sirer told me on Wednesday. Neither the Trump campaign nor Cendyn has offered an explanation for the shutting down of mail1.trump-email.com.
2) Could the communication with Alfa have been spam or marketing email?
In the statements they released after the publication of my piece, the Trump campaign and Alfa Bank provide different explanations for the DNS look-ups. According to Alfa, they were likely the result of its security systems furiously swatting away spam being sent by the Trump server. According to Trump, another Cendyn client, a bank, was using its servers to operate a “meeting management” application that allowed it to coordinate meetings with Alfa. The Trump campaign statement doesn’t name the bank. It’s strange that Cendyn would allow another client to use the Trump-owned servers, though it’s certainly possible. It’s also strange that investigators from Mandiant, the cybersecurity firm hired by Alfa to investigate, wouldn’t have easily found evidence of the meeting application and declared the case closed.
Was the server sending spam—unsolicited mail—as opposed to legitimate commercial marketing? There are databases that assiduously and comprehensively catalog spam. I entered the internet protocal address for mail1.trump-email.com to check if it ever showed up in Spamhaus and DNSBL.info. There were no traces of the IP address ever delivering spam. Perhaps the spam went uncataloged because it was being sent to a single bank in Russia, but L. Jean Camp, an Indiana University computer scientist and a source in my original story, thought that possibility unlikely. “It’s highly implausible that spam would continue for so many months, that it would never be reported to spam blocker, or that nobody else in the world would see the spam during that time frame,” she told me.
More likely, the Trump server was sending marketing material, like the emails the Intercept found from 2015 and 2016. Again, Hope Hicks says the Trump Organization no longer uses that server—and she denied the existence of any email sent to Alfa. It’s certainly possible that the campaign isn’t fully aware of every piece of internet marketing being dispersed by the Trump Organization. Or perhaps Cendyn sent mail on Trump’s behalf by mistake.
Still, the marketing email theory has a few holes. A typical marketing campaign would involve the wide distribution of emails, spreading word of discounted prices and hotel openings far and wide. It seems unlikely that a campaign would so exclusively focus its efforts on a bank in Russia and a health care company in Michigan (which received a small batch of DNS look-ups), even if, as one critic has claimed, executives from Alfa Bank had a penchant for staying in Trump hotels. Again, there may be some perfectly innocuous explanation for this strange behavior. Naadir Jeewa, a consultant who works with systems similar to the ones discussed in the piece, has suggested, “One of the main reasons I discounted malfeasance is that email systems are terrible. … [T]he fact that it still works is because of decades of workarounds and hacks to make it marginally secure. And they go wrong, all the time.”
3) Was it a closed server?
Another reason the computer scientists in my piece found the server unusual is that it appeared to be configured in such a way to restrict access to all but a few communicants. Several reporters and news outlets have countered by saying, in essence, that the server was “not quite as shut off from the rest of the web as it seems.” But we know of only three parties that received messages from the server, the vast bulk going to Alfa Bank. (The Intercept correctly notes that 19 IP addresses had looked up the Trump address. This is an unusually small number, and most of the look-ups consisted of IP addresses registered as purveyors of malware. The Intercept also contends that the 19 look-ups might not be a complete list; more on that below.) The scientists theorized that the Trump and Alfa Bank servers had a secretive relationship after testing the behavior of mail1.trump-email.com using sites like Pingability. When they attempted to ping the site, they received the message “521 lvpmta14.lstrk.net does not accept mail from you.” It’s possible to impose restrictions—or, in the case of Cendyn’s system, create an access control list—to carefully regulate the number of communicants. We can’t be sure that any of these restrictions were deployed.
And as the Verge’s Russell Brandom pointed out, this approach to communication would hardly remain secret forever: “If the servers were only meant to talk to each other, why not connect directly, storing the IP-domain link locally and skipping public domain registration entirely? Failing that, why not use a shared email account or any of dozens of private messaging services that leave less of a metadata trail? There are plenty of hard problems in building untraceable chat systems, but avoiding incriminating DNS records isn’t one of them.”
4) Does the conversation spike around political events?
Vox’s Timothy Lee and others have questioned the contention of the computer scientists that traffic between the servers correlated with political happenings in the U.S. “There’s a much smaller spike during the Democratic convention and no apparent increase before or during the Republican convention,” he noted. “In short, this chart seems to be totally unrelated to the political calendar.” He wonders why the largest spike occurs in August, after the party conventions. This happened to be a moment of potential interest in Russia, since those weeks were the denouement of the Paul Manafort era in the Trump campaign, with the exposure of logs showing he received $12.7 million in off-the-book payments from the Putin-backed Party of Regions. But Lee’s fundamental response is understandable: The chart shows possible correlations, not proven causation.
5) Are the DNS logs complete?
The Intercept also looked into this story and decided not to pursue it. One reason was that it doubted my source possessed an unabridged set of DNS logs: “What percentage of DNS look-ups for Trump’s email server could Tea Leaves and his colleagues observe, out of all DNS look-ups for that server on the whole internet? How can they be sure that the majority of DNS look-ups for Trump’s email server originated from Alfa Bank, when much of the data they collected didn’t even include DNS look-ups from IPs described in their own paper? What’s their margin of error? None of the analysis that we (and other journalists) obtained answered these questions.” As I noted in my piece, there’s no foolproof way to verify that these logs are complete and unedited. I believe in their authenticity, because of the credibility of the academics and programmers who vouched for them by name—specifically, Paul Vixie and Jean Camp. They took a meaningful risk in attaching their names to the data. Jean Camp has posted the full set of logs. Now that they are easily available, others can form their own opinion as to their validity and what they demonstrate about the servers.
I pursued this story because I was impressed by the emphatic belief of the experts I consulted, my suspicions were raised by the evidence they presented, and I thought I would be remiss if I sat on data that I believed deserves to be evaluated and understood before we elect the next president. The underlying context for the piece is that Donald Trump has cultivated a troubling relationship with Russia, and the U.S. government has identified Russia as trying to meddle in this election. Not every nexus between the candidate and Russia is nefarious. This one might well be entirely innocent or even accidental. As the New York Times reported on Tuesday, after my story published, the FBI looked into the server activity but “ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.” Or maybe it’s less than innocent, as the computer scientists suggested and still believe. (I’ve checked back with eight of the nine computer scientists and engineers I consulted for my original story, and they all stood by their fundamental analysis. One of them couldn’t be reached.) I concluded my account of these scientists’ search for answers by arguing that the servers and their activity deserved further explanation. Hopefully my story and the debate that has followed will move us closer to a fuller understanding.