Here’s the Problem With the Story Connecting Russia to Donald Trump’s Email Server

On Monday evening, Slate’s Franklin Foer published a story that’s been circulating via the darkish internet and varied newsrooms since summertime, an infinite, eyebrow-raising declare that Donald Trump makes use of a secret server to talk with Russia. That declare resulted in an explosive evening of Twitter confusion and misinformation.

The gist of the Slate article is dramatic — unimaginable, even: Cybersecurity researchers discovered that the Trump Organization used a secret field configured to talk completely with Alfa Bank, Russia’s largest privately-held business financial institution. This is a narrative that any reporter in our election cycle would drool over, and drool Foer did:

The researchers shortly dismissed their preliminary worry that the logs represented a malware assault. The communication wasn’t the work of bots. The irregular sample of server look-ups truly resembled the sample of human dialog — conversations that started throughout workplace hours in New York and continued throughout workplace hours in Moscow. It dawned on the researchers that this wasn’t an assault, however a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity known as Alfa Bank.

These claims are based mostly solely on “DNS logs,” digital information of when one server seems to be up how to contact one other throughout the web. The logs, first gathered by an nameless researcher going by the moniker “Tea Leaves” (an irony that needs to be misplaced on nobody) and shared with a small group of lecturers, have been offered to The Intercept and a handful of different information organizations. The New York Times, the Washington Post, Reuters, the Daily Beast, and Vice all examined these supplies to at the very least some extent and didn’t publish the claims.

You can consider DNS like a telephone guide that maps individuals’s names to their telephone numbers. For instance, each time Alice needs to name Bob, she first seems to be up Bob’s telephone quantity in the telephone guide, after which she dials the quantity into her telephone. However, it’s potential that Alice may lookup Bob’s telephone quantity and never name him on the telephone. It’s even potential that she may lookup Bob’s telephone quantity again and again regularly, over the course of months, with out truly calling him. The DNS look-ups that The Intercept and others (together with Slate) reviewed are related to information of Alice wanting up Bob’s telephone quantity in the telephone guide, however to name that proof of sinister collusion between the two is, politely, a stretch. These DNS information alone merely can not show that any particular messages have been despatched at these occasions. In truth, they’ll’t actually show something in any respect, and positively not “communication” between Trump and Alfa. This can’t be overstated: No one, not Tea Leaves, not his tutorial friends, and never Franklin Foer, can present {that a} single message was exchanged between Trump and Alfa.


Putting apart how little there truly is to learn in these tea leaves, the info we reviewed was full of inconsistencies and vagaries. The Intercept (and different shops) have been offered with three paperwork: an academia-style white paper about the server, an evaluation of that white paper, and a sprawling file on Alfa Bank. The creator of the evaluation paper refused to touch upon the document or permit his title to be revealed. Both Tea Leaves and the evaluation creator stated they didn’t know who wrote the different paperwork, and wouldn’t say how they obtained them. Professor L. Jean Camp, an esteemed pc scientist quoted at size in the Slate piece and in addition interviewed by The Intercept, stated she knew the creator of the Alfa Bank doc — compiled with the exhaustive element of a political oppo workforce, not a college researcher — however wouldn’t reveal who it was. Tea Leaves himself advised The Intercept that he had to preserve his identification and strategies secret as a result of “I run a cybersecurity firm and I don’t need DDOS and by no means have we been DDOS, nor do I would like different consideration.”

Looking at the paperwork themselves offered additional oddities and errors. The white paper contends the following:

The Spectrum Health IP handle is a TOR exit node used completely by Alfa Bank, i.e., Alfa Bank communications enter a Tor node someplace in the world and people communications exit, presumably untraceable, at Spectrum Health. There is completely no motive why Spectrum would desire a Tor exit node on its system.

This is solely unfaithful and simple to disprove utilizing publicly out there info: The Intercept confirmed that the IP handle in query, and all different IP addresses on Spectrum Health’s community, didn’t host a Tor node throughout the time interval.

On Tea Leaves’ WordPress site, he claimed that “solely two networks resolved the host.” This is contradicted by the very works of study furnished by Tea Leaves’ collaborators: The creator of the white paper discovered that at the very least 19 IP addresses, all belonging to totally different networks aside from the two that belong to Alfa Bank, had regarded up Trump’s server. And these are solely the 19 the creator was ready to observe in a short while interval — it could’t be dominated out that there have been many extra, which shortly deflates the portrait of a shady Russian backchannel.

The white paper included DNS look-up knowledge, however not practically sufficient to reproduce the outcomes. Rather than the 19 IP addresses we anticipated to see, the knowledge solely included three, and the DNS look-ups weren’t for the identical time interval that the paper described. Tea Leaves revealed a totally different set of knowledge on the darkish internet, which we additionally checked out, however this set of knowledge solely included a complete of 4 IP addresses. When we pressed Tea Leaves for the full set of knowledge so we may try to reproduce the evaluation, he gave us a brand new, extra complete set of knowledge, however nonetheless that included a complete of solely eight IP addresses, and it was lacking an IP handle belonging to a VPN service in Utah that accounted for a good portion of the DNS look-ups described in the paper.

What share of DNS look-ups for Trump’s e-mail server may Tea Leaves and his colleagues observe, out of all DNS look-ups for that server on the entire web? How can they make sure that the majority of DNS look-ups for Trump’s e-mail server originated from Alfa Bank, when a lot of the knowledge they collected didn’t even embody DNS look-ups from IPs described in their very own paper? What’s their margin of error? None of the evaluation that we (and different journalists) obtained answered these questions.

The Simplest Explanation

Although the Slate article mentions Occam’s Razor, Foer by no means truly takes critically the easiest believable rationalization for all of this: The Trump Organization owns a bunch of high-priced, obnoxious spam servers that churn out advertising and marketing emails for its costly, obnoxious inns. Spectrum Health, an entity on this story whose presence by no means made any sense, offered the following assertion:

Our specialists have carried out an in depth evaluation of the alleged web site visitors and didn’t discover any proof that it included any precise communications (no emails, chat, textual content, and so on.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did discover a small variety of incoming spam advertising and marketing emails, they originated from a digital advertising and marketing firm, Cendyn, promoting Trump Hotels.

Spectrum additionally offered us with one thing not even Tea Leaves may: a replica of an e-mail despatched from the server. Did it comprise a Cyrillic cipher? Not fairly:

Now, these emails are from outdoors the time interval noticed by Tea Leaves et al. and solely represents one knowledge level. On the different hand, we now have one checkmark in the “that is just a few dumb spam server” column, and nil in the “this can be a hotline to Putin’s bed room” column. Mandiant, a cybersecurity agency Alfa Bank employed to examine the DNS logs as soon as reporters got here knocking, offered one other deeply believable rationalization: All of the look-ups have been the results of Alfa’s mail servers making an attempt to determine who was spamming them a lot.

The info offered is inconclusive and isn’t proof of substantive contact or a direct e-mail or monetary hyperlink between Alfa Bank and the Trump Campaign or Organization. The checklist offered doesn’t comprise sufficient info to present that there was any precise exercise opposed to easy DNS look-ups which may come from quite a lot of sources together with anti-spam and different safety software program.

Security researcher Rob Graham points out that it’s a stretch to even declare that this server is really “Trump’s”:

The proof out there on the web is that Trump neither (straight) controls the area “,” nor has entry to the server. Instead, the area was setup and managed by Cendyn, an organization that does advertising and marketing/promotions for inns, together with a lot of Trump’s inns. Cendyn outsources the e-mail parts of its campaigns to an organization known as Listrak, which truly owns/operates the bodily server in an information heart in Philadelphia. …

… When you view this “secret” server in context, surrounded by the different e-mail servers operated by Listrak on behalf of Cendyn, it turns into extra apparent what’s occurring. In the identical web handle vary of Trump’s servers you see a bunch of comparable servers, many named [client] In different phrases, just isn’t supposed as a standard e-mail server you and I are acquainted with, however as a server used for advertising and marketing/promotional campaigns.

Paul Vixie, quoted all through the Slate story, is a legendary determine in the historical past of the web whose experience is close to unparalleled when it comes to DNS. But even Vixie conceded to The Intercept that Tea Leaves’ proof was conclusive of nothing: “It’s an ideal he-said, she-said scenario. … Mandiant is guessing no. I’m guessing sure. Neither of us has direct proof.”

There are different, non-technical points with the Foer piece. For one, the political connections between Trump and Alfa Bank are offered to the reader by highlighting the relationship between Trump and Richard Burt, a marketing consultant who drafted a Trump marketing campaign speech. Burt, Foer fees, “serves on Alfa’s senior advisory board.” Burt has certainly labored for years as an adviser to Alfa Bank and its founder, Mikhail Fridman. But he not serves on the board of Alfa Capital Partners, the Moscow-based fund related to Alfa Bank. That firm closed store over a 12 months in the past. Foer made the identical allegation in one other piece published by Slate in July.

Could it’s that Donald Trump used certainly one of his shoddy empire’s spam advertising and marketing machines, one together with his final title constructed proper into the area title, to secretly collaborate with a Moscow financial institution? Sure. At this second, there’s actually no means to disprove that. But there’s additionally actually no means to show it, and such a grand declare carries a excessive burden of proof.

Without extra proof it can be safer (and saner) to assume that that is precisely what it seems to be like: A company that Trump has used since 2007 to outsource his hotel spam is doing precisely that. Otherwise, we’re all making the very same hypothesis about the unknown that’s brought about untold tens of millions of voters to consider Hillary’s deleted emails may need contained Benghazi cover-up PDFs.

Given equal proof for each, go together with the much less wacky story.

Top photograph: The brand of Alfa Bank is seen on a constructing in Minsk, Belarus, on June 19, 2016.

Update: November 1, 2016 This article has been up to date to make clear Alfa Bank’s standing as the largest personal business financial institution.

Related Posts