:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/51622053/615648564.0.jpg)
Late on Monday afternoon, Slate published a lengthy article by Frank Foer presenting circumstantial evidence that the Trump Organization has a secret online communications link to Alfa Bank, a Russian bank with ties to the Kremlin. Foer never clearly spells out the implications, but he strongly implies there’s something nefarious going on here.
The story is catching a lot of attention because it jibes with other evidence that critics say point to links between Trump and the Russian government. Trump’s former campaign manager, Paul Manafort, had close ties to the Russian government. And the Trump campaign inserted Russia-friendly planks into the GOP platform during this summer’s convention.
But there is reason to doubt Foer’s sinister interpretation of the evidence about Trump’s email server. This evidence is entirely circumstantial, and there’s an innocent explanation for the traffic patterns that Foer identified: that the Trump Organization used an email marketing service to send out promotional emails about Trump’s hotels, and some of these emails went to Alfa Bank — perhaps because Alfa Bank employees have stayed at Trump hotels.
That theory seems to fit the evidence at least as well as Foer’s more conspiratorial interpretation — and other outlets and reporters found they couldn’t rule it out.
Foer and his sources aren’t the only ones who have been interested in the flow of traffic between the Trump Organization and Alfa Bank. The FBI, the New York Times, and other media organizations have all investigated the story. And so far none of them seem to believe that they’ve unearthed signs of a secret link between Trump and the Kremlin:
F.B.I. officials spent weeks examining computer data showing an odd stream of activity to a Trump Organization server and Alfa Bank. Computer logs obtained by The New York Times show that two servers at Alfa Bank sent more than 2,700 “look-up” messages — a first step for one system’s computers to talk to another — to a Trump-connected server beginning in the spring. But the F.B.I. ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.
“At least five outlets including The Intercept have been looking at this for weeks and decided it didn't add up,” tweeted Sam Biddle, a reporter at the Intercept, on Monday evening. He added that “The Trump/Alfa story could be true, but we all looked at the same data Foer did and it just won't take you to that conclusion.”
Trump servers communicated with the servers of a Russian bank
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/7385645/619576762.jpg)
The domain name system (DNS) is the internet’s directory service. It helps computers across the internet find each other by translating domain names (like vox.com) into internet protocol addresses (like 151.101.1.52). When you send an email to someone at another domain, your email server will use DNS to figure out which server to send the message to.
Earlier this year, security researchers monitoring the flow of DNS requests noticed traffic linking the Trump Organization — the parent company responsible for many of Donald Trump’s hotels and other business ventures — to a Russian bank called Alfa Bank.
Logs suggested that there was a periodic flow of messages between the two organizations. And the timing of the messages suggested — at least to Foer and the security researchers Foer spoke to for the story — that they were communications from human beings, not automated systems.
Foer concludes that “the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence.”
Traffic did not peak during “election-related moments”
Foer claimed that “the conversation between the Trump and Alfa servers appeared to follow the contours of political happenings in the United States.” An expert told Foer that “at election-related moments” — like during this summer’s major party conventions — “the traffic peaked.”
But that’s wrong. If anything, the chart shows the opposite of that:
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/7387101/pol_161031_screenshotlarge.png)
The most noticeable spike on this chart occurred in early August, a week after the Democratic convention had wrapped up and weeks before the first debate. The second most noticeable spike occurred in late June — another period when nothing in particular was happening in the campaign. There’s a much smaller spike during the Democratic convention and no apparent increase before or during the Republican convention.
In short, this chart seems to be totally unrelated to the political calendar. It provides no support for the idea that the Kremlin was using it as a back channel before and during the Republican National Convention in mid-July.
The mysterious traffic might just be spam promoting Trump hotels
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/7385587/528652674.jpg)
Foer claims that the pattern of traffic between the Trump Organization and Alfa Bank servers is highly unusual — so unusual that it can best be explained as a secretive communication link between Donald Trump and the Kremlin.
But in this case, there seems to be a plausible and perfectly innocent explanation for the traffic pattern suggested by an IT consultant named Naadir Jeewa and endorsed by security expert Robert Graham: The Trump organization is sending out promotional emails about Trump hotels, and one or more Alfa Bank employees is on the recipient list.
This is actually the explanation that’s suggested by Occam’s razor because — as Foer himself acknowledges in his story — the server was originally registered by an email marketing firm called Cendyn. The Trump organization seems to have hired Cendyn to send out emails promoting Trump’s hotels, a service Cendyn has been providing since the Trump server was registered in 2009. So the most obvious explanation for the traffic is that Cendyn is using its server for its intended purpose.
Foer writes that when his sources tried to connect to Trump’s mysterious server, “they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.” But Jeewa notes that this could simply reflect the fact that Cendyn’s servers are only configured for sending mail, not receiving it.
That raises another question: If the Trump Organization is only set up to send emails, not receive them, then why were the Alfa Bank servers seen doing DNS lookups on the Trump server? But, as Jeewa says, that’s not hard to explain, since it’s not uncommon for email servers to attempt a reverse connection after receiving an email to make sure that the sending server is legitimate.
Strangely, the logs Foer examined show that Alfa Bank is one of just two entities — the other is a Michigan health care organization called Spectrum Health — to show this kind of reverse connection back to Cendyn’s servers. And Foer does assert that the server “handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it.”
That might be evidence against the email marketing theory — if a server were sending out spam, you’d expect it to be communicating with more than two organizations. Jeewa suggests one possibility: that these two organizations just happen to have unusually chatty email servers. Perhaps a lot of other organizations also received promotional emails about Trump hotels, but because their email systems were set up differently, they didn’t generate records in the logs examined by Foer’s experts.
Another possibility: Foer isn’t working with complete data. Dyn, a major DNS provider, told the Verge’s Russell Brandom that its servers have seen other queries for the Trump domain, suggesting that the Trump server has been in contact with others besides Alfa Bank and Spectrum.
And when Foer contacted Spectrum for comment about the traffic, they replied that their analysis turned up “a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.”
And crucially, the Spectrum Health traffic is no easier to square with Foer’s conspiratorial reading of the evidence. If Trump set up a secret hotline to the Kremlin, why would it also be communicating with a random health care organization in Michigan?
It’s also worth stepping back and looking at the bigger picture here. If Trump did want to set up a secret means of communicating with Russia, why do it this way? Setting up a special Trump server is conspicuous, needlessly complicated, and requires help from IT staff who might get suspicious. It’s a safe bet that if Trump had wanted to secretly communicate with the Russian government, Russia’s intelligence service would have supplied him with a way to do it that’s easy to use and much less conspicuous.
