Trump, Alfa Bank & Purging News Sites


Sometime comedian Ed Brayton recently posted a list of news websites he believes should not be cited because they are deceptive or unreliable. He seems sincere, but I am worried that he may be, consciously or not, furthering a hidden campaign to suppress and punish adverse reporting about Donald Trump. Many of the sites in his list have published reports recently on the discovery of what appeared to be a dedicated connection between a computer registered to the Trump Organization and one owned by Alfa Bank in Moscow, as well as admissions by the Russian Government that they were, indeed, in communication with the Trump campaign. Rachel Maddow reported on this story, and treated it with the extreme gravity it deserves. Mother Jones reported on 31 October a credible claim that Russia had tried to “cultivate” Trump, and on 16 November that the NSA chief and other “senior US officials” believe that “Russia directly intervened in the US election”. The Alfa Bank is part of the Alfa Group, which has fascist connections and subsidiaries that have been involved in large-scale drug smuggling in Asia and South America, as well as in the notorious Oil-for-Food scandal in Iraq. The original report in Slate has been treated unfairly by Snopes, which I believe is fairly rare and a sign of trouble.


The Snopes Fact Check article by Kim LaCapria on the Trump / Alpha Bank server link contains internal evidence of bias and / or an intent to deceive. She criticizes Franklin Foer's Slate article for using anonymous sources, while leaving it to her own main source, Robert Graham, to mention two striking exceptions therein, the widely-respected botnet expert Christopher Davis and the very famous DNS inventor Paul Vixie; and she suppresses, with Graham, Davis' observation

It looked weird, and it didn’t pass the sniff test...I get more mail in a day than the server handled...

and Vixie's judgement,

The parties were communicating in a secretive fashion. The operative word is secretive...

Moreover, although both LaCapria and Graham reproduce the Clinton campaign's eloquent tweet summarizing the Slate article's main points, neither LaCapria nor her own sources honestly address the evidence marshalled by Foer to support all four points.


In particular, Robert Graham, quoted extensively by LaCapria, states that Vixie "confirmed that the pattern of DNS requests came from humans, and not automated systems", but deceptively omits Vixie's judgement above, while opining that


Those researchers violated their principles,

referring by implication to Davis, Vixie & the other experts Foer consulted for his article. That this opinion is the final section of Graham's article reveals what is probably its main purpose: To attack the reputations of experts who dare to expose Trump's crimes.

Addressing his evident differences with Foer's experts, Graham offers this absurd passage, quoted with emphases by LaCapria:


None of the identified experts confirmed the story. Instead, the experts looked at pieces, and confirmed part of the story...

Neither of them, however, confirmed that Trump has a secret server for communicating with the Russians. Both of their statements are consistent with what I describe above -- that's it's a Cendyn operated server for marketing campaigns independent of the Trump Organization.

Of course, the several experts consulted (Foer names others from among the nine he consulted for the article) each confirmed specific facts, which together constitute the story. Graham claims that his alternate theory is consistent with Davis' and Vixie's statements. Yet Vixie pointedly states (for reasons outlined by Foer but unmentioned by Graham) that the configuration was secretive. Graham's theory is not consistent with Vixie.

And, despite his repetition of the word, "secret", when describing what he intends to debunk, Graham never really does address secrecy other than to state, evidently in reference to the fact that the servers were using regular domain names to find each other (as discussed by Russell Brandom, Graham's own main reference) that the server configurations were "open and obvious".

Graham tries to deny the Trump Organization's control over their server by blowing smoke. He writes,


That the Trump Organization is the registrant, but not the admin, demonstrates that Trump doesn't have direct control over it.

This is false and deceptive: In fact, a registrant frequently does control, through an online web interface, a server that is administered for it by another entity, particularly, as reported in this case, when the server's located in a data center.

Another dubious statement by Graham:


Cendyn's claim they are reusing the server for some other purpose is likely true. If you are an enterprising journalist with $399 in your budget, you can find this out. Use the website http://reversewhois.domaintools.com/ to get a complete list of the 641 other domains controlled by Cendyn, then do an MX query for each one to find out which of them is using mail1.trump-email.com as their email server.

First of all, there is no mail1.trump-email.com; that domain name was deleted on 23 September, although the corresponding PTR reverse look-up record persists still (as of Thursday afternoon, 17 November 2016), evident sloppiness by whoever deleted the domain (this error is surprisingly common). So, nobody is using that. The formerly corresponding IP (66.216.133.29) is owned by Listrak, and as that company operates data centers, they probably maintain the server as a virtual machine within a data center. This virtual machine is what Cendyn would be re-using.

Secondly, one need not pay a cent to make a DNS query.

Regarding the paucity noted by Foer's experts of cyber-irritation elicited by the sometime spam server, Graham writes,


Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email.

Actually, like Graham himself, the journalist cited, Russell Brandom, doesn't provide any citations of queries to the Trump server in question, stating merely that others have told him of such queries.

Graham follows the unsupported claim above with an attack on Foer's sources' observation that the mail1.trump-email.com domain started failing DNS queries right after the NY Times contacted Alfa:


One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.

Should we trust Graham on this unattributed claim that he has evidence contradicting Foer's damning timeline? Graham's suggestion that Foer's experts didn't check the server for several weeks conflicts with Foer's report that the investigators were monitoring the server. This suggestion is one of Graham's most crucial statements, clearly an attempt to cast doubt on the experts' report that the Trump organization's domain name functioned until 23 September when it was removed from the domain name system, immediately after the New York Times investigators contacted Alfa Bank for comment. It's not surprising that Graham would want to discredit this report, which is a damning circumstance that strongly supports the thesis that the Trump Organization and Alfa Bank were in daily contact during the campaign, but Graham's suggestion that the experts weren't paying attention is wildly at odds with the experts' graph of domain name activity



which Foer provides in his article, showing clearly that they were, in fact, "checking" throughout this period. Graham's attempt to get away with this whopper is a pretty clear sign that his article is something other than objective analysis.

Let's check those logs: The most recent record for the server in the DNS lookup logs provided by Professor L. Jean Camp is

23-Sep-2016 09:48:06 client 217.12.96.15 query: mail1.trump-email.com IN A + (66.216.133.29)

whose date contradicts and disproves Graham's unattributed implication that this server was failing DNS lookups from late June on. Furthermore [as of Wed 16 Nov 2016], the collection of four dated logs contains lookup entries for all but eight of the 143 days in the range from 4 May through 23 September 2016, and six of these eight were in May. There is really no doubt that this domain name record was removed (or changed) on 23 September, just as Foer states.




Moreover, 23 September was also the date of a brief series of logged queries for

mail.trump-email.com.moscow.alfaintra.net

(evidently recording activity in the RIPE sector, not ARIN; and despite “intra” in the name component "alfaintra", the IP's logged therein are all public, not internal private addresses). Camp's theory that these log entries are the result of a typo wherein an operator failed to erase the previous contents of a dialog field in the process of revising a domain name record seems improbable to me, because of the period (".") separating the Trump and Alfa parts of the name; the type of error Camp describes would probably produce the string,

mail.trump-email.commoscow.alfaintra.net

instead. But whatever caused them, these log entries clearly do establish the existence of an institutional link between Trump and Alfa, refuting the Trump campaign's denials.

Brandom and others cite the absence of more than minimal efforts at concealment in the link's configuration as evidence that no foul play was afoot. But the Trump campaign's lying about the relationship demonstrated above is stronger evidence that they did, indeed, have something to hide.

Now, back to Snopes and LaCapria: She associates the Slate story with a different one re-published by Occupy Democrats at the same time:

The Slate article's appearance just one week prior to the November 2016 general election unsurprisingly turned heads, despite its speculative nature. On the same day, the partisan Occupy Democrats web site published an item claiming that in an "October Surprise" development, ABC News had uncovered "hundreds of millions of dollars" in payments from Russians to Trump:

and uses the association to cast doubt on Foer's report by claiming that Occupy Democrats was trying to manipulate the election with that different report about a different event

Many social media users exposed only to the dueling headlines were left with the impression the two reports were linked and mutually substantiating. But Occupy Democrats' "October Surprise" piece was originally reported by another news outlet more than one month earlier and pertained to purported business (not campaign) dealings Trump had with Russian business interests...The Trump campaign addressed and denied the allegations, while Hillary Clinton immediately tweeted twice about them:

yet references tweets from Hillary Clinton (including the one from the top of this article) that are about Foer's accurate Slate report, not the Occupy Democrats' putatively manipulative one about something else.

This misdirection is clear evidence of bias or deceptive intent on LaCapria's part, as the reports are about different events, and Foer and Slate are not responsible for Occupy Democrats' actions.

The NYT article forwards uncritically a claim attributed to the FBI that the communication could be accounted for by spam email. But one of the reasons the Alfa Bank connection became a story was that the experts, as Christopher Davis indicates in his quote at the top of this article, view this as improbable because the range and volume of DNS traffic for the server was so small.

This is probably a replay of the NYT and other mainstream media outlets wrongly condemning Gary Webb's Dark Alliance series. Let's not let them get away with it this time.