So Alfa Bank (the bank whose DNS traffic link it to trump-email.com) is back in the news with this press release about how in the last month, hackers have spoofed traffic trying to make it look like there's a tie with Trump. In other words, Alfa claims these packets are trying to frame them for a tie with Trump now, and thus (by extension) it must've been a frame last October.
There is no conspiracy here: it's just merry pranksters doing pranks (as this CNN article quotes me).
Indeed, among the people pranking has been me (not the pranks mentioned by Alfa, but different pranks). I ran a scan sending packets from IP address to almost everyone one the Internet, and set the reverse lookup to "mail1.trumpemail.com".
Sadly, my ISP doesn't allow me to put hyphens in the name, so it's not "trump-email.com" as it should be in order to prank well.
Geeks gonna geek and pranksters gonna prank. I can imagine all sorts of other fun pranks somebody might do in order to stir the pot. Since the original news reports of the AlfaBank/trump-email.com connection last year, we have to assume any further data is tainted by goofballs like me goofing off.
By the way, in my particular case, there's a good lesson to be had here about the arbitrariness of IP addresses and names. There is no server located at my IP address of 18.104.22.168. No such machine exists. Instead, I run my scans from a nearby machine on the same network, and "spoof" that address with masscan:
$ masscan 0.0.0.0/0 -p80 --banners --spoof-ip 22.214.171.124
This sends a web request to every machine on the Internet from that IP address, despite no machine anywhere being configured with that IP address.
I point this out because people are confused by the meaning of an "IP address", or a "server", "domain", and "domain name". I can imagine the FBI looking into this and getting a FISA warrant for the server located at my IP address, and my ISP coming back and telling them that no such server exists, nor has a server existed at that IP address for many years.
In the case of last years story, there's little reason to believe IP spoofing was happening, but the conspiracy theory still breaks down for the same reason: the association between these concepts is not what you think it is. Listrak, the owner of the server at the center of the conspiracy, still reverse resolves the IP address 126.96.36.199 as "mail1.trump-email.com", either because they are lazy, or because they enjoy the lulz.
It's absurd thinking anything sent by the server is related to the Trump Orgainzation today, and it's equally plausible that nothing the server sent was related to Trump last year as well, especially since (as CNN reports), Trump had severed their ties with Cendyn (the marketing company that uses Listrak servers for email).
Also, as mentioned in a previous blog post, I set my home network's domain to be "moscow.alfaintra.net", which means that some of my DNS lookups at home are actually being sent to Alfa Bank. I should probably turn this off before the FBI comes knocking at my door.