Sunday, October 31, 2021

Debunking: that Jones Alfa-Trump report

The Alfa-Trump conspiracy-theory has gotten a new life. Among the new things is a report done by Democrat operative Daniel Jones [*]. In this blogpost, I debunk that report.

If you'll recall, the conspiracy-theory comes from anomalous DNS traffic captured by cybersecurity researchers. In the summer of 2016, while Trump was denying involvement with Russian banks, the Alfa Bank in Russia was doing lookups on the name "mail1.trump-email.com". During this time,  additional lookups were also coming from two other organizations with suspicious ties to Trump, Spectrum Health and Heartland Payments.

This is certainly suspicious, but people have taken it further. They have crafted a conspiracy-theory to explain the anomaly, namely that these organizations were secretly connecting to a Trump server.

We know this explanation to be false. There is no Trump server, no real server at all, and no connections. Instead, the name was created and controlled by Cendyn. The server the name points to for transmitting bulk email and isn't really configured to accept connections. It's built for outgoing spam, not incoming connections. The Trump Org had no control over the name or the server. As Cendyn explains, the contract with the Trump Org ended in March 2016, after which they re-used the IP address for other marketing programs, but since they hadn't changed the DNS settings, this caused lookups of the DNS name.

This still doesn't answer why Alfa, Spectrum, Heartland, and nobody else were doing the lookups. That's still a question. But the answer isn't secret connections to a Trump server. The evidence is pretty solid on that point.


Daniel Jones and Democracy Integrity Project

The report is from Daniel Jones and his Democracy Integrity Project.

It's at this point that things get squirrely. All sorts of right-wing sites claim he's a front for George Soros, funds Fusion GPS, and involved in the Steele Dossier. That's right-wing conspiracy theory nonsense.

But at the same time, he's clearly not an independent and objective analyst. He was hired to further the interests of Democrats.

If the data and analysis held up, then partisan ties wouldn't matter. But they don't hold up. Jones is clearly trying to be deceptive.

The deception starts by repeatedly referring to the "Trump server". There is no Trump server. There is a Listrak server operated on behalf of Cendyn. Whether the Trump Org had any control over the name or the server is a key question the report should be trying to prove, not a premise. The report clearly understands this fact, so it can't be considered a mere mistake, but a deliberate deception.

People make assumptions that a domain name like "trump-email.com" would be controlled by the Trump organization. It's wasn't. When Trump Hotels hired Cendyn to do marketing for them, Cendyn did what they normally do in such cases, register a domain with their client's name for the sending of bulk emails. They did the same thing with hyatt-email.com, denihan-email.com, mjh-email.com, and so on. What clear is that the Trump organization had no control, no direct ties to this domain until after the conspiracy-theory hit the press.


Finding #1 - Alfa Bank, Spectrum Health, and Heartland account for nearly all of the DNS lookups for mail1.trump-email.com in the May-September timeframe.

Yup, that's weird and unexplained.

But it concludes from this that there were connections, saying the following:

In the DNS environment, if "computer X" does a DNS look-up of "Computer Y," it means that "Computer X" is trying to connect to "Computer Y".

This is false. That's certainly the assumption we usually make, that it's probably true in most cases. But it's not something we insist upon if there's reason to doubt it. And since there's reason to doubt it here, we would need more evidence to make that conclusion.

For example, before the contract was canceled in March 2016, there were DNS lookups for the "mail1.trump-email.com" name from all over the place. That's because the Listrak server was pumping out bulk emails ("spam") promoting Trump Hotels. Servers receiving the emails would often check the identity of the server through DNS lookups, but without any attempt to connect. This fact is footnoted in the Jones report even as it claims otherwise in the main text.

Obviously, that's no longer the case after March 2016, when the contract was canceled. But if Cendyn repurposes the server for something else, such lookups can still happen without connections. The DNS records hadn't changed. So if the server sends out new things from that IP address, unrelated to Trump Org, it'd still cause DNS lookups for the "trump-email.com" domain to happen. It wouldn't mean anybody was trying to connect to the server.

This is indeed what Cendyn claims, that they repurposed the resources for their hotel meetings app (whereby hotels can schedule conferences and things on their premises).

It's still suspicious that only those three organizations were involved, but at the same time, it's clearly false to assume this is evidence of connections.


Finding #2 - Comparison with denihan-email.com.

The Jones report compared the DNS logs of trump-email.com with the domain of another of Cendyn's client, Denihan. Cendyn registered the domain denihan-email.com. This is another hotel company.

This comparison was obviously bogus. The contract with Cendyn ended in March 2016, after which Cendyn claims it repurposed the server. Jones uses the timeframe August 2016 through September 2016 to compare traffic for those two domains. Of course they'd be different. A valid comparison would be a t timeframe before March 2016, when both were clients of Cendyn.

Since Jones documents the fact the contract between Cendyn and Trump Org was ended, they are knowingly comparing an apple to an orange. Thus, it's not a mistake but a deception.

This also points to the fundamental problem with the data-set. We don't really have a full picture of what happened, such as data going back to 2015. We have a carefully curated subset of the data designed to show just what they want us to see.

Everything points to trump-email.com domain and Listrak servers being just normal Cendyn stuff used for Cendyn's purposes. As far as we can tell, that domain worked the same as other Cendyn clients, such as denihan-email.com, hyatt-email.com, mjh-email.com, and so on. These domains are controlled by Cendyn, not their client's. Cendyn in turn points those names at Listrak servers for sending bulk email.


Finding #3 - Missing SPF record

The Jone's report points to missing SPF records, showing that the server is not configured correctly for sending mass emails. It includes this exhibit.


But a review shows that this is the same configuration as for other Cendyn/Listrak bulk email servers. For example, compared to mjh-email.com, we find it's configured the same:


The SPF and DMARC standards were not as widely used in 2016, so misconfigurations were common. Moreover, the domains also lacked a DMARC record. Without DMARC, despite SPF being bad, many receivers won't reject the emails.

Listrak/Cendyn still fail to have proper DMARC records for their clients, which means that some of their bulk email is getting rejected. They should probably fix that. This doesn't mean Listrak/Cendyn aren't in the bulk email business, only that they could be better at it.

Thus, we've shown that trump-email.com had the perfectly normal Cendyn SPF records. Far from proving this isn't a bulk email server, the consistency with Cendyn's normal configuration proves unequivocally that it is.


Finding #4 - Accepts emails only from specific senders

The Jones report shows that the server in question (66.216.133.29) accepts incoming email, but rejects email from the public, accepting email only from specific senders. They assume the specific senders would be those from Alfa Bank, Spectrum, and Heartland.

Again, they don't compare properly to other Cendyn/Listrak systems. If they had, they'd have found that they all are configured the same way. There's an entire subnet of servers you can test this way:


All these servers show the same messages, allowing incoming email connections but not incoming email messages.

This is a vestigial configuration common to bulk email senders. Spammers only send email. One way to test if somebody is spammer is to connect back. This configuration makes it appear they'll accept email even if they won't, passing the test.

In no way is this evidence of secret communications. It's not evidence of their claim that somehow Alfa Bank, Spectrum Health, and Heartland would be on the list of allowed senders. We would need additional evidence to make that claim, not an assumption.


Finding #5 - Evidence of human interaction and coordination

The report claims a direct link between Alfa and Trump with the following:
On September 23, 2016, two days after The New York Times approached Alfa Bank, the Trump Organization deleted the email server "mail1.trump-email.com" ... it would have been a deliberate human action taken by a someone working on behalf of the Trump Organization and not by Alfa Bank. An analyst, quoted in the Slate article by Franklin Foer, observed that "the knee was struck in Moscow, and the leg kicked in New York."
This 'finding' is an excellent demonstration of how to identify conspiracy-theories: anomalies that cannot otherwise be explained become proof of the conspiracy. After all, the conspiracy-theory can explain everything.

When I debunked the Alfa-Trump thing back in 2017, reporters grilled me on this specific point. They demanded I come up with an explanation for this coincidence. I told them I had none, but just because I didn't have one, it didn't mean it was proof of the conspiracy theory. There could be lots of explanations, just because we don't know them doesn't mean they don't exist. Just because the conspiracy-theory explains it doesn't mean this is evidence for the conspiracy.

But now we do have another explanation: the FBI called Cendyn on the morning of September 23 and asked them about the domain. As the agent reported back:
“Followed up this morning with Central Dynamics [Cendyn] who confirmed that the mail1.trump-email.com domain is an old domain that was set up in approximately 2009 when they were doing business with the Trump Organization that was never used." -- *
Thus, it's not NYT contacting Alfa Bank that caused the deletion, it's the FBI calling Cendyn. Thus, there's no evidence Alfa Bank or Trump Org were even involved. The evidence is quite clear that only Cendyn was involved.

After Cendyn deletes the domain "mail1.trump-email.com", lookups of that name started to fail. The Jones report notes that Alfa Bank then switched to "trump1.contact-client.com". It weaves this in to the conspiracy thusly:
The fact that Alfa Bank was the first entity (IP address) to conduct a DNS look-up for "trump1.contact-client.com" in the data-set could indicate that someone at Alfa Bank was in some manner made aware of the new Trump Organization server name.
The name "contact-client.com" is part of Cendyn's infrastructure. For their "mail1.customer-email.com" domains, there's a matching "customer1.contact-client.com" domain. We can see test that live right now:


This is totally consistent with Cendyn's re-use of the infrastructure for a new purpose, as it would treat both domain names the same. Rather than evidence suggesting human interaction, it's evidence suggesting the opposite, that there was no human interaction.


6. The Mandiant report doesn't refuted these findings

After this thing hit the news, Alfa Bank hired Mandiant to come to their offices and investigate. Their report was inconclusive. They didn't find anything.

Note the difference in language. Things Mandiant can't explain demonstrates Mandiant's incompetence, while things Jones can't explain prove the conspiracy-theory. If Mandiant's report should be treated as inclusive and proof of nothing, then so too should the Jones report. The Jones report has even less evidence than the Mandiant report.


7. The public statements by Trump et al. are contradictory and incomplete

Duh.

The Trump Org, Alfa, and Spectrum Health have no idea what happened. Their statements are consistent with knowing they don't have secret communications, but not knowing where this DNS data came from. They are unable to refute the allegations, but at the same time, are concerned for their reputations, and behave accordingly. Which, of course, means the guess at what's going on with more confidence than is warranted.

If there were secret communications among them, you'd expect they'd do a better job at coordinating their stories.


Conclusion

In this blogpost, I've refuted all the findings of the Jones report. There is still the question where this DNS anomaly came from, but the allegation that this proves a secret connect between Alfa Bank and a Trump server is clearly false.

Moreover, I've shown that the Jones report is not merely wrong, but deliberately deceptive. They repeatedly reference a "Trump Organization Server" even though it's quite clear from the text they know that no such server exists.

For example, when Cendyn removed the "mail1.trump-email.com" DNS record, it was described as the "Trump Organization deleted the email server". It's clear they know that Cendyn simply removed the mail1.trump-email.com record, and that the Listrak server wasn't touched. Yet, they deliberate phrase things this way in order to deceive.

What we have is Alfa Bank doing DNS queries. What we don't have is any connection to the Trump Org. Since Jones couldn't create the conclusion based on evidence that Trump Org was involve, he instead made it the premise.

This in turn makes it easy to disprove the entire Jones report: since there's not only no evidence of Trump Org involvement, and quite a lot of evidence Trump Org had no control over the domain or servers, it disprove the entire theory that there was secret connections with Alfa Bank.

2 comments:

James Smyth said...

"But if Cendyn repurposes the server for something else, such lookups can still happen without connections. The DNS records hadn't changed. So if the server sends out new things from that IP address, unrelated to Trump Org, it'd still cause DNS lookups for the "trump-email.com" domain to happen. "

Can you explain this in more detail? From what i know about this area, it doesn't make sense. Are you suggesting that the receiving server would have cached the IP-to-name and when it sees traffic from the IP it would then do DNS on the name? For what purpose?

Pangric said...

The PTR record (linking the IP to the hostname) has not changed. Therefore, when the server tries to deliver mail, the receiver will resolve the IP to the hostname and subsequently try to resolve the hostname to see if the IP matches.
See for example http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname