It's time for Trump to answer serious questions about his ties to Russia. https://t.co/D8oSmyVAR4 pic.twitter.com/07dRyEmPjX— Hillary Clinton (@HillaryClinton) October 31, 2016
This is nonsense. The evidence available on the Internet is that Trump neither (directly) controls the domain "trump-email.com", nor has access to the server. Instead, the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump's hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philidelphia.
In other words, Trump's response is (minus the political bits) likely true, supported by the evidence. It's the conclusion I came to even before seeing the response.
When you view this "secret" server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what's going on. In the same Internet address range of Trump's servers you see a bunch of similar servers, many named [client]-email.com. In other words, trump-email.com is not intended as a normal email server you and I are familiar with, but as a server used for marketing/promotional campaigns.
It's Cendyn that registered and who controls the trump-email.com domain, as seen in the WHOIS information. That the Trump Organization is the registrant, but not the admin, demonstrates that Trump doesn't have direct control over it.
When the domain information was changed last September 23, it was Cendyn who did the change, not the Trump Organization. This link lists a bunch of other hotel-related domains that Cendyn likewise controls, some Trump related, some related to Trump's hotel competitors, like Hyatt and Sheraton.
Cendyn's claim they are reusing the server for some other purpose is likely true. If you are an enterprising journalist with $399 in your budget, you can find this out. Use the website http://reversewhois.domaintools.com/ to get a complete list of the 641 other domains controlled by Cendyn, then do an MX query for each one to find out which of them is using mail1.trump-email.com as their email server.
This is why we can't have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google's 220.127.116.11, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.
Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.
Since I wrote this blog post at midnight, so I haven't confirmed this with anybody yet, but there's a good chance that the IP address 18.104.22.168 has continued to spew spam for Trump hotels during this entire time. This would, of course would generate lookups (both reverse and forward). It seems like everyone who works for IT for a large company should be able to check their incoming email logs and see if they've been getting emails from that address over the last few months. If you work in IT, please check your logs for the last few months and Tweet me at @erratarob with the results, either positive or negative.
And finally, somebody associated with Alfa Bank IT operations confirms that executives like to stay at Trump hotels all the time (like in Vegas and New York), and there was a company function one of Trump's golf courses. In other words, there's good reason for the company to get spam from, and need to communicate with, Trump hotels to coordinate events.
And so on and so forth -- there's a lot of information out there if we just start digging.
That this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all this. People are tempted to pull nefarious explanations out of their imaginations for things they don't understand. But for those of us with experience in this sort of thing, what we see here is a normal messed up marketing (aka. spam) system that the Trump Organization doesn't have control over. Knowing who owns and controls these servers, it's unreasonable to believe that Trump is using them for secret emails. Far from "secret" or "private" servers as Hillary claims, these servers are wide open and obvious.
This post provides a logic explanation, but we can't count on this being provably debunked until those like Dyn come forward, on the record, and show us lookups that don't come from Alfa Bank. Or, those who work in big companies can pull records from their incoming email servers, to show that they've been receiving spam from that IP address over the last few months. Either of these would conclusively debunk the story.
But experts say...
But the article quotes several experts confirming the story, so how does that jibe with this blog post. The answer is that none of the experts confirmed the story.
Read more carefully. None of the identified experts confirmed the story. Instead, the experts looked at pieces, and confirmed part of the story. Vixie rightly confirmed that the pattern of DNS requests came from humans, and not automated systems. Chris Davis rightly confirmed the server doesn't look like a normal email server.
Neither of them, however, confirmed that Trump has a secret server for communicating with the Russians. Both of their statements are consistent with what I describe above -- that's it's a Cendyn operated server for marketing campaigns independent of the Trump Organization.
Those researchers violated their principles
The big story isn't the conspiracy theory about Trump, but that these malware researchers exploited their privileged access for some purpose other than malware research.
Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google's 22.214.171.124 public DNS. It's a huge privacy violation -- justified on the principle that it's for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google's service. Sometimes people don't realize how their ISP shares information, or how many of the root DNS servers are monitored.
People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers. People should be angrily asking ICANN, which is no longer controlled by the US government (sic), whether it's their policy to share DNS lookup information with those who would attempt to change US elections.
There's not many sources for this specific DNS information. Alfa Bank's servers do their own resolution, direction from the root on down. It's unlikely they were monitoring Alfa Bank's servers directly, or monitoring Cendyn's authoritative servers. That means some sort of passive DNS on some link in between, which is unlikley. Conversely, they could be monitoring one of the root domain servers -- but this monitoring wouldn't tell them the difference between a successful or failed lookup, which they claim to have. In short, of all the sources of "DNS malware information" I've heard about, none of it would deliver the information these researchers claim to have (well, except the NSA with their transatlantic undersea taps, of course).
Update: this tweet points out original post mentions getting data from "ams-ix23" node, which hints at AMS-IX, Amsterdam InterXchange, where many root server nodes are located.