The Alfa-Trump conspiracy-theory has gotten a brand new life. Among the brand new issues is a report finished by Democrat operative Daniel Jones [*]. In this blogpost, I debunk that report.
If you’ll recall, the conspiracy-theory comes from anomalous DNS visitors captured by cybersecurity researchers. In the summer season of 2016, whereas Trump was denying involvement with Russian banks, the Alfa Bank in Russia was doing lookups on the title “mail1.trump-email.com”. During this time, extra lookups had been additionally coming from two different organizations with suspicious ties to Trump, Spectrum Health and Heartland Payments.
This is definitely suspicious, however folks have taken it additional. They have crafted a conspiracy-theory to clarify the anomaly, specifically that these organizations had been secretly connecting to a Trump server.
We know this rationalization to be false. There isn’t any Trump server, no actual server in any respect, and no connections. Instead, the title was created and managed by Cendyn. The server the title factors to for transmitting bulk e-mail and isn’t actually configured to simply accept connections. It’s constructed for outgoing spam, not incoming connections. The Trump Org had no management over the title or the server. As Cendyn explains, the contract with the Trump Org led to March 2016, after which they re-used the IP tackle for different advertising applications, however since they hadn’t modified the DNS settings, this triggered lookups of the DNS title.
This nonetheless doesn’t reply why Alfa, Spectrum, Heartland, and no person else had been doing the lookups. That’s nonetheless a query. But the reply isn’t secret connections to a Trump server. The proof is fairly strong on that level.
Daniel Jones and Democracy Integrity Project
The report is from Daniel Jones and his Democracy Integrity Project.
It’s at this level that issues get squirrely. All kinds of right-wing websites declare he’s a entrance for George Soros, funds Fusion GPS, and concerned within the Steele Dossier. That’s right-wing conspiracy concept nonsense.
But on the similar time, he’s clearly not an impartial and goal analyst. He was employed to additional the pursuits of Democrats.
If the info and evaluation held up, then partisan ties wouldn’t matter. But they don’t maintain up. Jones is clearly making an attempt to be misleading.
The deception begins by repeatedly referring to the “Trump server”. There isn’t any Trump server. There is a Listrak server operated on behalf of Cendyn. Whether the Trump Org had any management over the title or the server is a key query the report ought to be making an attempt to show, not a premise. The report clearly understands this truth, so it might’t be thought-about a mere mistake, however a deliberate deception.
People make assumptions that a website title like “trump-email.com” can be managed by the Trump group. It’s wasn’t. When Trump Hotels employed Cendyn to do advertising for them, Cendyn did what they usually do in such instances, register a website with their consumer’s title for the sending of bulk emails. They did the identical factor with hyatt-email.com, denihan-email.com, mjh-email.com, and so forth. What clear is that the Trump group had no management, no direct ties to this area till after the conspiracy-theory hit the press.
Finding #1 – Alfa Bank, Spectrum Health, and Heartland account for practically the entire DNS lookups for mail1.trump-email.com within the May-September timeframe.
Yup, that’s bizarre and unexplained.
But it concludes from this that there have been connections, saying the next:
In the DNS surroundings, if “pc X” does a DNS look-up of “Computer Y,” it means that “Computer X” is making an attempt to connect with “Computer Y”.
This is fake. That’s definitely the belief we often make, that it’s most likely true typically. But it’s not one thing we insist upon if there’s motive to doubt it. And since there’s motive to doubt it right here, we would wish extra proof to make that conclusion.
For instance, earlier than the contract was canceled in March 2016, there have been DNS lookups for the “mail1.trump-email.com” title from all over. That’s as a result of the Listrak server was pumping out bulk emails (“spam”) selling Trump Hotels. Servers receiving the emails would typically examine the id of the server by way of DNS lookups, however with none try to attach. This truth is footnoted within the Jones report even because it claims in any other case in the principle textual content.
Obviously, that’s not the case after March 2016, when the contract was canceled. But if Cendyn repurposes the server for one thing else, such lookups can nonetheless occur with out connections. The DNS data hadn’t modified. So if the server sends out new issues from that IP tackle, unrelated to Trump Org, it’d nonetheless trigger DNS lookups for the “trump-email.com” area to occur. It wouldn’t imply anyone was making an attempt to connect with the server.
This is certainly what Cendyn claims, that they repurposed the assets for his or her resort conferences app (whereby resorts can schedule conferences and issues on their premises).
It’s nonetheless suspicious that solely these three organizations had been concerned, however on the similar time, it’s clearly false to imagine that is proof of connections.
Finding #2 – Comparison with denihan-email.com.
The Jones report in contrast the DNS logs of trump-email.com with the area of one other of Cendyn’s consumer, Denihan. Cendyn registered the area denihan-email.com. This is one other resort firm.
This comparability was clearly bogus. The contract with Cendyn led to March 2016, after which Cendyn claims it repurposed the server. Jones makes use of the timeframe August 2016 by way of September 2016 to check visitors for these two domains. Of course they’d be completely different. A sound comparability can be a t timeframe earlier than March 2016, when each had been purchasers of Cendyn.
Since Jones paperwork the very fact the contract between Cendyn and Trump Org was ended, they’re knowingly evaluating an apple to an orange. Thus, it’s not a mistake however a deception.
This additionally factors to the basic downside with the data-set. We don’t actually have a full image of what occurred, comparable to knowledge going again to 2015. We have a rigorously curated subset of the info designed to indicate simply what they need us to see.
Everything factors to trump-email.com area and Listrak servers being simply regular Cendyn stuff used for Cendyn’s functions. As far as we are able to inform, that area labored the identical as different Cendyn purchasers, comparable to denihan-email.com, hyatt-email.com, mjh-email.com, and so forth. These domains are managed by Cendyn, not their consumer’s. Cendyn in flip factors these names at Listrak servers for sending bulk e-mail.
Finding #3 – Missing SPF report
The Jone’s report factors to lacking SPF data, exhibiting that the server will not be configured accurately for sending mass emails. It consists of this exhibit.
But a evaluation reveals that this is similar configuration as for different Cendyn/Listrak bulk e-mail servers. For instance, in comparison with mjh-email.com, we discover it’s configured the identical:
The SPF and DMARC requirements weren’t as extensively utilized in 2016, so misconfigurations had been frequent. Moreover, the domains additionally lacked a DMARC report. Without DMARC, regardless of SPF being unhealthy, many receivers gained’t reject the emails.
Listrak/Cendyn nonetheless fail to have correct DMARC data for his or her purchasers, which suggests that a few of their bulk e-mail is getting rejected. They ought to most likely repair that. This doesn’t imply Listrak/Cendyn aren’t within the bulk e-mail enterprise, solely that they could possibly be higher at it.
Thus, we’ve proven that trump-email.com had the superbly regular Cendyn SPF data. Far from proving this isn’t a bulk e-mail server, the consistency with Cendyn’s regular configuration proves unequivocally that it’s.
Finding #4 – Accepts emails solely from particular senders
The Jones report reveals that the server in query (66.216.133.29) accepts incoming e-mail, however rejects e-mail from the general public, accepting e-mail solely from particular senders. They assume the particular senders can be these from Alfa Bank, Spectrum, and Heartland.
Again, they don’t examine correctly to different Cendyn/Listrak methods. If that they had, they’d have discovered that all of them are configured the identical manner. There’s a whole subnet of servers you possibly can check this fashion:
All these servers present the identical messages, permitting incoming e-mail connections however not incoming e-mail messages.
This is a vestigial configuration frequent to bulk e-mail senders. Spammers solely ship e-mail. One technique to check if someone is spammer is to attach again. This configuration makes it seem they’ll settle for e-mail even when they gained’t, passing the check.
In no manner is that this proof of secret communications. It’s not proof of their declare that by some means Alfa Bank, Spectrum Health, and Heartland can be on the checklist of allowed senders. We would wish extra proof to make that declare, not an assumption.
Finding #5 – Evidence of human interplay and coordination
The report claims a direct hyperlink between Alfa and Trump with the next:
On September 23, 2016, two days after The New York Times approached Alfa Bank, the Trump Organization deleted the e-mail server “mail1.trump-email.com” … it will have been a deliberate human motion taken by a somebody engaged on behalf of the Trump Organization and never by Alfa Bank. An analyst, quoted within the Slate article by Franklin Foer, noticed that “the knee was struck in Moscow, and the leg kicked in New York.”
This ‘discovering’ is a wonderful demonstration of easy methods to determine conspiracy-theories: anomalies that can not in any other case be defined turn out to be proof of the conspiracy. After all, the conspiracy-theory can clarify every thing.
When I debunked the Alfa-Trump factor again in 2017, reporters grilled me on this particular level. They demanded I provide you with an evidence for this coincidence. I informed them I had none, however simply because I didn’t have one, it didn’t imply it was proof of the conspiracy concept. There could possibly be plenty of explanations, simply because we don’t know them doesn’t imply they don’t exist. Just as a result of the conspiracy-theory explains it doesn’t imply that is proof for the conspiracy.
But now we do have one other rationalization: the FBI referred to as Cendyn on the morning of September 23 and requested them concerning the area. As the agent reported again:
“Followed up this morning with Central Dynamics [Cendyn] who confirmed that the mail1.trump-email.com area is an previous area that was arrange in roughly 2009 once they had been doing enterprise with the Trump Organization that was by no means used.” — *
Thus, it’s not NYT contacting Alfa Bank that triggered the deletion, it’s the FBI calling Cendyn. Thus, there’s no proof Alfa Bank or Trump Org had been even concerned. The proof is sort of clear that solely Cendyn was concerned.
After Cendyn deletes the area “mail1.trump-email.com”, lookups of that title began to fail. The Jones report notes that Alfa Bank then switched to “trump1.contact-client.com”. It weaves this in to the conspiracy thusly:
The truth that Alfa Bank was the primary entity (IP tackle) to conduct a DNS look-up for “trump1.contact-client.com” within the data-set might point out that somebody at Alfa Bank was in some method made conscious of the brand new Trump Organization server title.
The title “contact-client.com” is a part of Cendyn’s infrastructure. For their “mail1.buyer-email.com” domains, there’s an identical “buyer1.contact-client.com” area. We can see check that reside proper now:
This is completely according to Cendyn’s re-use of the infrastructure for a brand new objective, as it will deal with each domains the identical. Rather than proof suggesting human interplay, it’s proof suggesting the other, that there was no human interplay.
6. The Mandiant report doesn’t refuted these findings
After this factor hit the information, Alfa Bank employed Mandiant to come back to their places of work and examine. Their report was inconclusive. They didn’t discover something.
Note the distinction in language. Things Mandiant can’t clarify demonstrates Mandiant’s incompetence, whereas issues Jones can’t clarify show the conspiracy-theory. If Mandiant’s report ought to be handled as inclusive and proof of nothing, then so too ought to the Jones report. The Jones report has even much less proof than the Mandiant report.
7. The public statements by Trump et al. are contradictory and incomplete
Duh.
The Trump Org, Alfa, and Spectrum Health do not know what occurred. Their statements are according to realizing they don’t have secret communications, however not realizing the place this DNS knowledge got here from. They are unable to refute the allegations, however on the similar time, are involved for his or her reputations, and behave accordingly. Which, after all, means the guess at what’s occurring with extra confidence than is warranted.
If there have been secret communications amongst them, you’d count on they’d do a greater job at coordinating their tales.
Conclusion
In this blogpost, I’ve refuted all of the findings of the Jones report. There remains to be the query the place this DNS anomaly got here from, however the allegation that this proves a secret join between Alfa Bank and a Trump server is clearly false.
Moreover, I’ve proven that the Jones report will not be merely incorrect, however intentionally misleading. They repeatedly reference a “Trump Organization Server” despite the fact that it’s fairly clear from the textual content they know that no such server exists.
For instance, when Cendyn eliminated the “mail1.trump-email.com” DNS report, it was described because the “Trump Organization deleted the e-mail server”. It’s clear they know that Cendyn merely eliminated the mail1.trump-email.com report, and that the Listrak server wasn’t touched. Yet, they deliberate phrase issues this fashion so as to deceive.
What we’ve is Alfa Bank doing DNS queries. What we don’t have is any connection to the Trump Org. Since Jones couldn’t create the conclusion based mostly on proof that Trump Org was contain, he as an alternative made it the premise.
This in flip makes it simple to disprove the complete Jones report: since there’s not solely no proof of Trump Org involvement, and numerous proof Trump Org had no management over the area or servers, it disprove the complete concept that there was secret connections with Alfa Bank.
*** This is a Security Bloggers Network syndicated weblog from Errata Security authored by Robert Graham. Read the unique put up at: https://blog.erratasec.com/2021/10/debunking-that-jones-alfa-trump-report.html
https://securityboulevard.com/2021/10/debunking-that-jones-alfa-trump-report/
![Top 6 Server Management Software and Tools Compared [2023]](https://ta-relay-public-files-prod.s3.us-east-2.amazonaws.com/icp/product_images/23db1d70048ad120d46c9ea0e43f22e5.png)
:max_bytes(150000):strip_icc()/registration-3938434_1280-e2aa7e5d57264ae19b69027f14c85c2f.jpg)
