Here’s the Problem With the Story Connecting Russia to Donald Trump’s Email Server

A group of cybersecurity researchers thought the Trump Organization used a secret server to communicate with Russia’s largest private commercial bank. Here’s what’s wrong with that claim.

General view shows the logo on a building of Alfa bank in Minsk, Belarus June 19, 2016.  REUTERS/Vasily Fedosenko (Newscom TagID: rtrleight007365.jpg) [Photo via Newscom]
The logo of Alfa Bank is visible on a building in Minsk, Belarus on June 19, 2016. Photo: Vasily Fedosenko/Reuters/Newscom

On Monday night, Slate’s Franklin Foer published a story that’s been circulating through the dark web and various newsrooms since summertime, an enormous, eyebrow-raising claim that Donald Trump uses a secret server to communicate with Russia. That claim resulted in an explosive night of Twitter confusion and misinformation.

The gist of the Slate article is dramatic — incredible, even: Cybersecurity researchers found that the Trump Organization used a secret box configured to communicate exclusively with Alfa Bank, Russia’s largest privately-held commercial bank. This is a story that any reporter in our election cycle would drool over, and drool Foer did:

The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server look-ups actually resembled the pattern of human conversation — conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.

These claims are based entirely on “DNS logs,” digital records of when one server looks up how to contact another across the internet. The logs, first gathered by an anonymous researcher going by the moniker “Tea Leaves” (an irony that should be lost on no one) and shared with a small group of academics, were provided to The Intercept and a handful of other news organizations. The New York Times, the Washington Post, Reuters, the Daily Beast, and Vice all examined these materials to at least some extent and did not publish the claims.

You can think of DNS like a phone book that maps people’s names to their phone numbers. For example, every time Alice wants to call Bob, she first looks up Bob’s phone number in the phone book, and then she dials the number into her phone. However, it’s possible that Alice might look up Bob’s phone number and not call him on the phone. It’s even possible that she might look up Bob’s phone number over and over on a regular basis, over the course of months, without actually calling him. The DNS look-ups that The Intercept and others (including Slate) reviewed are similar to records of Alice looking up Bob’s phone number in the phone book, but to call that evidence of sinister collusion between the two is, politely, a stretch. These DNS records alone simply cannot prove that any specific messages were sent at those times. In fact, they can’t really prove anything at all, and certainly not “communication” between Trump and Alfa. This cannot be overstated: No one, not Tea Leaves, not his academic peers, and not Franklin Foer, can show that a single message was exchanged between Trump and Alfa.


Putting aside how little there actually is to read in these tea leaves, the information we reviewed was filled with inconsistencies and vagaries. The Intercept (and other outlets) were presented with three documents: an academia-style white paper about the server, an analysis of that white paper, and a sprawling dossier on Alfa Bank. The author of the analysis paper refused to comment on the record or allow his name to be published. Both Tea Leaves and the analysis author said they did not know who wrote the other documents, and would not say how they obtained them. Professor L. Jean Camp, an esteemed computer scientist quoted at length in the Slate piece and also interviewed by The Intercept, said she knew the author of the Alfa Bank document — compiled with the exhaustive detail of a political oppo team, not a university researcher — but would not reveal who it was. Tea Leaves himself told The Intercept that he had to keep his identity and methods secret because “I run a cybersecurity company and I do not want DDOS and never have we been DDOS, nor do I want other attention.”

Looking at the documents themselves provided further oddities and errors. The white paper contends the following:

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank, i.e., Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health. There is absolutely no reason why Spectrum would want a Tor exit node on its system.

This is simply untrue and easy to disprove using publicly available information: The Intercept confirmed that the IP address in question, and all other IP addresses on Spectrum Health’s network, did not host a Tor node during the time period.

On Tea Leaves’ WordPress site, he claimed that “only two networks resolved the host.” This is contradicted by the very works of analysis furnished by Tea Leaves’ collaborators: The author of the white paper found that at least 19 IP addresses, all belonging to different networks except for the two that belong to Alfa Bank, had looked up Trump’s server. And these are only the 19 the author was able to observe in a short time period — it can’t be ruled out that there were many more, which quickly deflates the portrait of a shady Russian backchannel.

The white paper included DNS look-up data, but not nearly enough to reproduce the results. Rather than the 19 IP addresses we expected to see, the data only included three, and the DNS look-ups were not for the same time period that the paper described. Tea Leaves published a different set of data on the dark web, which we also looked at, but this set of data only included a total of four IP addresses. When we pressed Tea Leaves for the complete set of data so we could attempt to reproduce the analysis, he gave us a new, more comprehensive set of data, but still that included a total of only eight IP addresses, and it was missing an IP address belonging to a VPN service in Utah that accounted for a significant portion of the DNS look-ups described in the paper.

What percentage of DNS look-ups for Trump’s email server could Tea Leaves and his colleagues observe, out of all DNS look-ups for that server on the whole internet? How can they be sure that the majority of DNS look-ups for Trump’s email server originated from Alfa Bank, when much of the data they collected didn’t even include DNS look-ups from IPs described in their own paper? What’s their margin of error? None of the analysis that we (and other journalists) obtained answered these questions.

The Simplest Explanation

Although the Slate article mentions Occam’s Razor, Foer never actually takes seriously the simplest plausible explanation for all of this: The Trump Organization owns a bunch of expensive, obnoxious spam servers that churn out marketing emails for its expensive, obnoxious hotels. Spectrum Health, an entity in this story whose presence never made any sense, provided the following statement:

Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.

Spectrum also provided us with something not even Tea Leaves could: a copy of an email sent from the server. Did it contain a Cyrillic cipher? Not quite:

Spectrum was kind enough to include the email’s header data, which shows its origin:

Alfa Bank provided the same:

Now, these emails are from outside the time period observed by Tea Leaves et al. and only represents one data point. On the other hand, we now have one checkmark in the “this is just some dumb spam server” column, and zero in the “this is a hotline to Putin’s bedroom” column. Mandiant, a cybersecurity firm Alfa Bank hired to investigate the DNS logs once reporters came knocking, provided another deeply plausible explanation: All of the look-ups were the result of Alfa’s mail servers trying to figure out who was spamming them so much.

The information presented is inconclusive and is not evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization. The list presented does not contain enough information to show that there has been any actual activity opposed to simple DNS look-ups which can come from a variety of sources including anti-spam and other security software.

Security researcher Rob Graham points out that it’s a stretch to even claim that this server is truly “Trump’s”:

The evidence available on the internet is that Trump neither (directly) controls the domain “,” nor has access to the server. Instead, the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump’s hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philadelphia. …

… When you view this “secret” server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what’s going on. In the same internet address range of Trump’s servers you see a bunch of similar servers, many named [client] In other words, is not intended as a normal email server you and I are familiar with, but as a server used for marketing/promotional campaigns.

Paul Vixie, quoted throughout the Slate story, is a legendary figure in the history of the internet whose expertise is near unparalleled when it comes to DNS. But even Vixie conceded to The Intercept that Tea Leaves’ evidence was conclusive of nothing: “It’s a perfect he-said, she-said situation. … Mandiant is guessing no. I am guessing yes. Neither of us has direct evidence.”

There are other, non-technical issues with the Foer piece. For one, the political connections between Trump and Alfa Bank are presented to the reader by highlighting the relationship between Trump and Richard Burt, a consultant who drafted a Trump campaign speech. Burt, Foer charges, “serves on Alfa’s senior advisory board.” Burt has indeed worked for years as an adviser to Alfa Bank and its founder, Mikhail Fridman. But he no longer serves on the board of Alfa Capital Partners, the Moscow-based fund associated with Alfa Bank. That company closed shop over a year ago. Foer made the same allegation in another piece published by Slate in July.

Could it be that Donald Trump used one of his shoddy empire’s spam marketing machines, one with his last name built right into the domain name, to secretly collaborate with a Moscow bank? Sure. At this moment, there’s literally no way to disprove that. But there’s also literally no way to prove it, and such a grand claim carries a high burden of proof.

Without more evidence it would be safer (and saner) to assume that this is exactly what it looks like: A company that Trump has used since 2007 to outsource his hotel spam is doing exactly that. Otherwise, we’re all making the exact same speculation about the unknown that’s caused untold millions of voters to believe Hillary’s deleted emails might have contained Benghazi cover-up PDFs.

Given equal evidence for both, go with the less wacky story.

Top photo: The logo of Alfa Bank is visible on a building in Minsk, Belarus, on June 19, 2016.

Update: November 1, 2016 This article has been updated to clarify Alfa Bank’s status as the largest private commercial bank.

Join The Conversation