BuzzFeed News

Reporting To You

world

Everything You Need To Know About A Trump Server's Chats With A Russian Bank

“At the end of the day, we don’t know what happened."

Posted on November 1, 2016, at 5:21 p.m. ET

Gustavo Caballero / Getty Images

SAN FRANCISCO — Did Republican presidential nominee Donald Trump have a special email server used exclusively to communicate with a Russian bank with ties to President Vladimir Putin? On Monday night, the internet was abuzz with speculation after Slate published a story claiming that a number of experts had not only found the email server, but had concluded there was a “sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank,” a large, private bank in Russia whose oligarch founders have close ties to Putin.

Democratic presidential nominee Hillary Clinton piled into the news cycle with a tweet calling for an investigation into Trump’s ties to Russia.

It's time for Trump to answer serious questions about his ties to Russia. https://t.co/D8oSmyVAR4

Here’s what we know so far in this story — and what we don’t:

The original story said two servers — one owned by Trump, one Russian — were communicating.

A small group of experts who specialize in analyzing DNS traffic discovered that a Trump Organization server irregularly pinged two servers belonging to the Russian Alfa Bank, the Slate article said. DNS, or Domain Name Servers, are like the internet’s phone book, maintaining a directory of domain names and translating them into Internet Protocol (IP) addresses. When you ask your computer to send an email or visit www.buzzfeed.com, it relays that request through a DNS server to direct your email (or web page request) to the right place. By analyzing DNS logs, the experts found a steady line of communication between trump-email.com and Alfa Bank. Because the Trump server didn’t have a website associated with it, they determined that the requests being made to the servers were regular emails being sent between the two. "The parties were communicating in a secretive fashion," Paul Vixie, one of the world’s foremost experts in DNS, said in the article. "The operative word is 'secretive.' This is more akin to what criminal syndicates do if they are putting together a project."Many reading the story concluded, based on that quote, that Trump, or someone close to him, was regularly communicating with someone within Russia about money, his political campaign, or both.
Sergei Karpukhin / Reuters

A small group of experts who specialize in analyzing DNS traffic discovered that a Trump Organization server irregularly pinged two servers belonging to the Russian Alfa Bank, the Slate article said. DNS, or Domain Name Servers, are like the internet’s phone book, maintaining a directory of domain names and translating them into Internet Protocol (IP) addresses. When you ask your computer to send an email or visit www.buzzfeed.com, it relays that request through a DNS server to direct your email (or web page request) to the right place.

By analyzing DNS logs, the experts found a steady line of communication between trump-email.com and Alfa Bank. Because the Trump server didn’t have a website associated with it, they determined that the requests being made to the servers were regular emails being sent between the two.

"The parties were communicating in a secretive fashion," Paul Vixie, one of the world’s foremost experts in DNS, said in the article. "The operative word is 'secretive.' This is more akin to what criminal syndicates do if they are putting together a project."

Many reading the story concluded, based on that quote, that Trump, or someone close to him, was regularly communicating with someone within Russia about money, his political campaign, or both.

Trump and Alfa Bank have said there’s nothing nefarious going on at all.

In a statement to Slate, Alfa Bank denied that it had ever been in contact with the Trump campaign. Meanwhile, cybersecurity expert Rob Graham wrote that he was told by Alfa Bank IT operations that its executives like to stay at Trump hotels: “in other words, there's good reason for the company to get spam from, and need to communicate with, Trump hotels to coordinate events.”Trump’s campaign told Slate the server in question was not being used by the Trump Organization, and that it had not been in use since 2010. “To be clear, The Trump Organization is not sending or receiving any communications from this email server,” the statement read. "The Trump Organization has no communication or relationship with this entity or any Russian entity."
Carlo Allegri / Reuters

In a statement to Slate, Alfa Bank denied that it had ever been in contact with the Trump campaign. Meanwhile, cybersecurity expert Rob Graham wrote that he was told by Alfa Bank IT operations that its executives like to stay at Trump hotels: “in other words, there's good reason for the company to get spam from, and need to communicate with, Trump hotels to coordinate events.”

Trump’s campaign told Slate the server in question was not being used by the Trump Organization, and that it had not been in use since 2010.

“To be clear, The Trump Organization is not sending or receiving any communications from this email server,” the statement read. "The Trump Organization has no communication or relationship with this entity or any Russian entity."

There are competing theories for what the servers were really doing.

The server that controls the domain "trump-email.com" was set up and controlled by Cendyn, a company that does marketing and promotion for hotels, according to analysis Graham published Monday. Cendyn, wrote Graham, outsources its email campaigns to a company called Listrak, who operate the physical server out of a data server in Philadelphia. “That this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all this,” concluded Graham. “What we see here is a normal messed up marketing (aka. spam) system that the Trump Organization doesn't have control over. Knowing who owns and controls these servers, it's unreasonable to believe that Trump is using them for secret emails.”Naadir Jeewa, another cybersecurity expert, also looked at the servers and concluded that a system malfunction was the most plausible explanation for the back-and-forth between the servers.Chris Davis, one of the computer science experts quoted in the Slate report, said he’d only looked at the server but there was no doubt it was behaving strangely. “The first day I looked at it I thought it was just a marketing server,” Davis told BuzzFeed News, but he kept asking himself why it would only be focused on marketing to Alfa Bank. “Maybe it was just a misconfigured server and it was just sending volumes of marketing to Alfa Bank … It could be automated, people set up servers all the time and forget about it. But why would it send thousands of DNS requests to Alfa bank and why would no one there complain about it?”
Vasily Fedosenko / Reuters

The server that controls the domain "trump-email.com" was set up and controlled by Cendyn, a company that does marketing and promotion for hotels, according to analysis Graham published Monday. Cendyn, wrote Graham, outsources its email campaigns to a company called Listrak, who operate the physical server out of a data server in Philadelphia.

“That this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all this,” concluded Graham. “What we see here is a normal messed up marketing (aka. spam) system that the Trump Organization doesn't have control over. Knowing who owns and controls these servers, it's unreasonable to believe that Trump is using them for secret emails.”

Naadir Jeewa, another cybersecurity expert, also looked at the servers and concluded that a system malfunction was the most plausible explanation for the back-and-forth between the servers.

Chris Davis, one of the computer science experts quoted in the Slate report, said he’d only looked at the server but there was no doubt it was behaving strangely.

“The first day I looked at it I thought it was just a marketing server,” Davis told BuzzFeed News, but he kept asking himself why it would only be focused on marketing to Alfa Bank. “Maybe it was just a misconfigured server and it was just sending volumes of marketing to Alfa Bank … It could be automated, people set up servers all the time and forget about it. But why would it send thousands of DNS requests to Alfa bank and why would no one there complain about it?”

We know the servers shut down after the New York Times began investigating the story — but not why.

The original Slate report pointed out that the trump-email.com domain stopped working on Sept. 23, less than a day after New York Times reporters reached out to Alfa Bank regarding the story. Just days later, on Sept. 27, Slate noted, a new domain called trump1.contact-client.com was created, and the first attempt to look it up was by Alfa Bank. Vixie was quoted as saying the only way Alfa Bank could have known about the new host name was through direct contact with whoever changed it. But Graham and Jeewa both argue that what might have happened could just as easily be explained as Cendyn changing the server once the NYT alerted the Trump organization that it was behaving strangely. Graham writes that Alfa Bank was not the only server that queried mail1.trump-email.com, but that it seemed to get a lot of requests including from places that tend to process a lot of spam emails. The NYT, meanwhile, has reported that the FBI had looked into and dismissed the idea that the two servers represented a secret communications channel. Investigators "concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.”
Ramin Talaie / Getty Images

The original Slate report pointed out that the trump-email.com domain stopped working on Sept. 23, less than a day after New York Times reporters reached out to Alfa Bank regarding the story. Just days later, on Sept. 27, Slate noted, a new domain called trump1.contact-client.com was created, and the first attempt to look it up was by Alfa Bank. Vixie was quoted as saying the only way Alfa Bank could have known about the new host name was through direct contact with whoever changed it.

But Graham and Jeewa both argue that what might have happened could just as easily be explained as Cendyn changing the server once the NYT alerted the Trump organization that it was behaving strangely. Graham writes that Alfa Bank was not the only server that queried mail1.trump-email.com, but that it seemed to get a lot of requests including from places that tend to process a lot of spam emails.

The NYT, meanwhile, has reported that the FBI had looked into and dismissed the idea that the two servers represented a secret communications channel. Investigators "concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.”

We still can’t say for sure what really happened.

Without more data — ideally a look at Alfa Bank’s servers or a look at emails being allegedly sent — it’s impossible to conclude what was actually happening here, said five cybersecurity experts who spoke to BuzzFeed News Tuesday morning. The evidence that that Trump was using a special email server to communicate with Russia is circumstantial, said the experts, and it’s just as easy to conclude that the requests spotted between the servers were promotional emails about Trump’ hotels which went to employees at Alfa Bank who had previously stayed at one of the venues. “I would never say for sure that this was one thing or another,” Davis said. “I don’t have enough data to draw a conclusion.” “This is the problem with these stories — in order to figure out what really happened you need to violate a lot of people’s privacy, the basic privacy of the internet, by delving into DNS and the metadata of traffic,” said one DNS expert, who asked not to be quoted on record because he said he didn’t want his name and company dragged into what he described as an “ugly political mess.” “At the end of the day, we don’t know what happened,” he said. "Unless everyone wants to show their cards on the table, we won’t ever know."
Chip Somodevilla / Getty Images

Without more data — ideally a look at Alfa Bank’s servers or a look at emails being allegedly sent — it’s impossible to conclude what was actually happening here, said five cybersecurity experts who spoke to BuzzFeed News Tuesday morning.

The evidence that that Trump was using a special email server to communicate with Russia is circumstantial, said the experts, and it’s just as easy to conclude that the requests spotted between the servers were promotional emails about Trump’ hotels which went to employees at Alfa Bank who had previously stayed at one of the venues.

“I would never say for sure that this was one thing or another,” Davis said. “I don’t have enough data to draw a conclusion.”

“This is the problem with these stories — in order to figure out what really happened you need to violate a lot of people’s privacy, the basic privacy of the internet, by delving into DNS and the metadata of traffic,” said one DNS expert, who asked not to be quoted on record because he said he didn’t want his name and company dragged into what he described as an “ugly political mess.”

“At the end of the day, we don’t know what happened,” he said. "Unless everyone wants to show their cards on the table, we won’t ever know."

  • Picture of Sheera Frenkel

    Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F

    Contact Sheera Frenkel at sheera.frenkel@buzzfeed.com.

    Got a confidential tip? Submit it here.

ADVERTISEMENT