The Alfa-Trump conspiracy-theory has gotten a new life. Among the new things is a report done by Democrat operative Daniel Jones [*]. In this blogpost, I debunk that report.
If you’ll recall, the conspiracy-theory comes from anomalous DNS traffic captured by cybersecurity researchers. In the summer of 2016, while Trump was denying involvement with Russian banks, the Alfa Bank in Russia was doing lookups on the name “mail1.trump-email.com”. During this time, additional lookups were also coming from two other organizations with suspicious ties to Trump, Spectrum Health and Heartland Payments.
This is certainly suspicious, but people have taken it further. They have crafted a conspiracy-theory to explain the anomaly, namely that these organizations were secretly connecting to a Trump server.
We know this explanation to be false. There is no Trump server, no real server at all, and no connections. Instead, the name was created and controlled by Cendyn. The server the name points to for transmitting bulk email and isn’t really configured to accept connections. It’s built for outgoing spam, not incoming connections. The Trump Org had no control over the name or the server. As Cendyn explains, the contract with the Trump Org ended in March 2016, after which they re-used the IP address for other marketing programs, but since they hadn’t changed the DNS settings, this caused lookups of the DNS name.
This still doesn’t answer why Alfa, Spectrum, Heartland, and nobody else were doing the lookups. That’s still a question. But the answer isn’t secret connections to a Trump server. The evidence is pretty solid on that point.
Daniel Jones and Democracy Integrity Project
The report is from Daniel Jones and his Democracy Integrity Project.
It’s at this point that things get squirrely. All sorts of right-wing sites claim he’s a front for George Soros, funds Fusion GPS, and involved in the Steele Dossier. That’s right-wing conspiracy theory nonsense.
But at the same time, he’s clearly not an independent and objective analyst. He was hired to further the interests of Democrats.
If the data and analysis held up, then partisan ties wouldn’t matter. But they don’t hold up. Jones is clearly trying to be deceptive.
The deception starts by repeatedly referring to the “Trump server”. There is no Trump server. There is a Listrak server operated on behalf of Cendyn. Whether the Trump Org had any control over the name or the server is a key question the report should be trying to prove, not a premise. The report clearly understands this fact, so it can’t be considered a mere mistake, but a deliberate deception.
People make assumptions that a domain name like “trump-email.com” would be controlled by the Trump organization. It’s wasn’t. When Trump Hotels hired Cendyn to do marketing for them, Cendyn did what they normally do in such cases, register a domain with their client’s name for the sending of bulk emails. They did the same thing with hyatt-email.com, denihan-email.com, mjh-email.com, and so on. What clear is that the Trump organization had no control, no direct ties to this domain until after the conspiracy-theory hit the press.
Finding #1 – Alfa Bank, Spectrum Health, and Heartland account for nearly all of the DNS lookups for mail1.trump-email.com in the May-September timeframe.
Yup, that’s weird and unexplained.
But it concludes from this that there were connections, saying the following:
In the DNS environment, if “computer X” does a DNS look-up of “Computer Y,” it means that “Computer X” is trying to connect to “Computer Y”.
This is false. That’s certainly the assumption we usually make, that it’s probably true in most cases. But it’s not something we insist upon if there’s reason to doubt it. And since there’s reason to doubt it here, we would need more evidence to make that conclusion.
For example, before the contract was canceled in March 2016, there were DNS lookups for the “mail1.trump-email.com” name from all over the place. That’s because the Listrak server was pumping out bulk emails (“spam”) promoting Trump Hotels. Servers receiving the emails would often check the identity of the server through DNS lookups, but without any attempt to connect. This fact is footnoted in the Jones report even as it claims otherwise in the main text.
Obviously, that’s no longer the case after March 2016, when the contract was canceled. But if Cendyn repurposes the server for something else, such lookups can still happen without connections. The DNS records hadn’t changed. So if the server sends out new things from that IP address, unrelated to Trump Org, it’d still cause DNS lookups for the “trump-email.com” domain to happen. It wouldn’t mean anybody was trying to connect to the server.
This is indeed what Cendyn claims, that they repurposed the resources for their hotel meetings app (whereby hotels can schedule conferences and things on their premises).
It’s still suspicious that only those three organizations were involved, but at the same time, it’s clearly false to assume this is evidence of connections.
Finding #2 – Comparison with denihan-email.com.
The Jones report compared the DNS logs of trump-email.com with the domain of another of Cendyn’s client, Denihan. Cendyn registered the domain denihan-email.com. This is another hotel company.
This comparison was obviously bogus. The contract with Cendyn ended in March 2016, after which Cendyn claims it repurposed the server. Jones uses the timeframe August 2016 through September 2016 to compare traffic for those two domains. Of course they’d be different. A valid comparison would be a t timeframe before March 2016, when both were clients of Cendyn.
Since Jones documents the fact the contract between Cendyn and Trump Org was ended, they are knowingly comparing an apple to an orange. Thus, it’s not a mistake but a deception.
This also points to the fundamental problem with the data-set. We don’t really have a full picture of what happened, such as data going back to 2015. We have a carefully curated subset of the data designed to show just what they want us to see.
Everything points to trump-email.com domain and Listrak servers being just normal Cendyn stuff used for Cendyn’s purposes. As far as we can tell, that domain worked the same as other Cendyn clients, such as denihan-email.com, hyatt-email.com, mjh-email.com, and so on. These domains are controlled by Cendyn, not their client’s. Cendyn in turn points those names at Listrak servers for sending bulk email.
Finding #3 – Missing SPF record
The Jone’s report points to missing SPF records, showing that the server is not configured correctly for sending mass emails. It includes this exhibit.
But a review shows that this is the same configuration as for other Cendyn/Listrak bulk email servers. For example, compared to mjh-email.com, we find it’s configured the same:
All these servers show the same messages, allowing incoming email connections but not incoming email messages.
On September 23, 2016, two days after The New York Times approached Alfa Bank, the Trump Organization deleted the email server “mail1.trump-email.com” … it would have been a deliberate human action taken by a someone working on behalf of the Trump Organization and not by Alfa Bank. An analyst, quoted in the Slate article by Franklin Foer, observed that “the knee was struck in Moscow, and the leg kicked in New York.”
“Followed up this morning with Central Dynamics [Cendyn] who confirmed that the mail1.trump-email.com domain is an old domain that was set up in approximately 2009 when they were doing business with the Trump Organization that was never used.” — *
The fact that Alfa Bank was the first entity (IP address) to conduct a DNS look-up for “trump1.contact-client.com” in the data-set could indicate that someone at Alfa Bank was in some manner made aware of the new Trump Organization server name.
This is totally consistent with Cendyn’s re-use of the infrastructure for a new purpose, as it would treat both domain names the same. Rather than evidence suggesting human interaction, it’s evidence suggesting the opposite, that there was no human interaction.
*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2021/10/debunking-that-jones-alfa-trump-report.html