Why Trump’s Russian Server Connection Is Less Suspicious Than It Sounds
What if a major presidential candidate were in secret communication with Russia, through a secret internet channel kept hidden from the rest of the web? That’s the scenario laid out last night in a Slate report by Franklin Foer. Drawing on DNS (or domain name system) records, the report lays out months of communications between a mail server owned by the Trump Organization and another owned by Russia’s Alfa Bank. We don’t know what data passed between the servers, but given Trump’s extensive financial ties to Russia, that communication struck Foer as suspicious, potentially even evidence of coordination between Trump and a foreign power.
Not everyone is convinced. Hours after the Slate piece arrived, The New York Times followed up with a report that the FBI had investigated the server and come away with no evidence tying Trump to Russia’s efforts to influence the election. At the same time, doubts have surfaced about many of the technical details of the piece, raising serious questions about the exposé. The researchers consulted by Foer are among the most respected analysts in their field, and it’s clear something unusual is happening between the servers — but whether that means anything for Trump’s relationship with Russia is far less clear.
I can definitely understand why my fellow nerds are excited about this Trump DNS traffic but there are just so so many possible explanations— Tom Lee (@tjl) October 31, 2016
The biggest problem is the nature of the data the story is based on. The core of the story is a set of DNS records first published in part on October 5th, showing ongoing queries between the two servers. DNS works as a kind of phone book for the internet, connecting URLs (like theverge.com) to IP addresses (like 220.127.116.11) — the same system that was attacked earlier this month, bringing down a number of basic internet functions. Observers saw consistent queries from the Alfabank’s server to mail1.trump-email.com, like spotting them looking up his address in the phonebook again and again over a long period of time. Typically, those queries are made before a more tangible data connection, like looking up a website’s IP address before you load it or looking up an email server’s IP address before you download recent messages.
DNS records are often collected by outside parties, but they can’t show what happened once the connection was made. All we know is that someone in Russia kept looking up Trump’s server. As a result, many researchers consider those records an incomplete data set that’s easy to misinterpret. “DNS without context is playing with matches,” says security researcher Jonathan Zdziarski. “It might be spot on. But it's like trying to guess someone's motives by looking at individual words in a search history.”
The server traffic is irregular, to be sure, but it’s less clear what conclusions to draw from that, if any. “When you have only a few details, the nefarious ones loom large in your imagination,” says Errata Security’s Robert David Graham. “But for people like me who've setup and managed lots of DNS and email servers, the more likely explanation is incompetence and legacy systems.”
Other parts of the story are less convincing on closer inspection. For Foer, the connection between the servers is particularly ominous because of its exclusivity. When researchers sent queries to the server, it replied with error messages, and a full 87 percent of the DNS lookups on the server came from two specific Alfa Bank servers. The result, for Foer, is a computer set up to communicate with only a small number of other addresses, “a digital hotline connecting the two entities, shutting out the rest of the world.”
But that hotline isn’t quite as exclusive as it looks. A server replying to a ping with an error message isn’t unusual: one researcher even demonstrated a similar reaction from Slate.com. Having such a majority of DNS queries come from a single source is more unusual, but there are lots of explanations that don’t involve espionage. Foer notes a number of queries from a medical clinic in Michigan, and researchers at Dyn have found plenty of other lookups that didn’t come from either source. “It seems to be a stretch to then say this is evidence of a secretive relationship between Trump and a Russian bank,” said Dyn’s Doug Madory. If this was meant to be a hotline between two parties, it’s hard to say how those other parties fit in.
More importantly, there’s no evidence that either Trump or Alfa Bank took any concrete steps to conceal their identity. There are plenty of ways to stay anonymous on the internet, whether through fake names, third-party hosts, or circumvention networks like Tor — but neither party attempted anything like that. Trump’s supposedly secret channel to Russia was publicly available at mail1.trump-email.com, which would have been easy to change to something less conspicuous. Alfa’s server was also publicly identifying itself when it made the queries, which would have been easy to avoid if secrecy was important. Even the existence of DNS records is a kind of tell. All our evidence of the connection between the two servers comes from repeated public queries made over the course of months — but if this was really a secret hotline, why make those queries at all? If the servers were only meant to talk to each other, why not connect directly, storing the IP-domain link locally and skipping public domain registration entirely? Failing that, why not use a shared email account or any of dozens of private messaging services that leave less of a metadata trail? There are plenty of hard problems in building untraceable chat systems, but avoiding incriminating DNS records isn’t one of them.
So if the Trump server wasn’t part of a secret hotline, what was it doing? The most popular answer is some combination of marketing and spam. Registration records show the Trump server is administered by a company called Cendyn, which Trump hired for “interactive marketing services” back in 2007. When Slate contacted the Michigan health clinic, which had queried the same Trump server, they put it down to “a small number of incoming spam marketing emails,” sent by Cendyn on behalf of Trump hotels. That’s the same explanation Alfabank’s representatives offered Foer, saying the leading theory was that the servers “may have been responding with common DNS lookups to spam sent to it by a marketing server.”
It’s unusual to respond to a spam email with a DNS lookup, but it can be useful for checking the general location of the server and ensuring it exists. If Alfabank’s servers had a particularly aggressive or buggy anti-spam system, it would be easy to account for 87 percent of the lookups for that particular address — and there’s reason to believe that they did. On Twitter, a consultant named Naadir Jeewa tracked down Alfabank’s email scanning system, which turns out to have a history of unusual DNS activity. What looked like discreet hotline calls could well have been an automated email scanner responding to every marketing email by running to the phone book to check the address.
Alfa Bank, like most banks probably have an email scanner that attempt a reverse connection, just to check that the email server is real.— Naadir Jeewa (@randomvariable) November 1, 2016
That would also explain the irregular pattern of the emails, one of the key points of mystery in the Slate piece. The simplest explanation for most unusual internet traffic is either a malware infection or some automated system gone haywire, but the pattern of the queries was too unpredictable for that. As Foer notes, they came erratically, speeding up as the campaign intensified and always beginning during working hours on Eastern Time. That would seem to indicate a human being at the end of the line, as opposed to the scrupulous regularity of a bot. But if the trigger for the lookups is an email marketing campaign, the timing makes perfect sense. The sender was human, scheduling emails according to the working hours of Trump’s New York headquarters, and the DNS lookup was an automated response to that human query.
It’s still difficult to be sure exactly what happened. The DNS records still haven’t been published in full, so no one has seen them aside from Foer and a few other journalists and technical advisors. There may well be more incriminating evidence in those records, or technical evidence too intricate to detail in the article. But for now, the simplest explanation is that the traffic came from email marketing rather than sub rosa communications. We simply don’t have reason to believe anything more sinister is going on. In the long list of Trump scandals, this one doesn’t rank particularly high.