The Washington PostDemocracy Dies in Darkness

That secret Trump-Russia email server link is likely neither secret nor a Trump-Russia link

Donald Trump speaks during the grand opening of Trump International Hotel in D.C. on Oct. 26. (Jabin Botsford/The Washington Post)

Of all the things that were going to get Donald Trump into trouble over the course of this election, I would have put "automated computer server activity" pretty low on the list. But here we are.

On Monday night, Slate published a lengthy story written by Franklin Foer exploring an odd connection between Trump's businesses and a bank in Russia. Researchers looking to track Russian attempts at hacking American political interests noticed that a server at the bank had been connecting to a server linked to Trump — sporadically, in a pattern that they felt was indicative of interpersonal communication. With attention in the presidential race focused on how Trump's political and economic interests might overlap with those of the Russian state, this was a tantalizing wisp of smoke.

For all of Foer's exegesis of the situation — culminating, he admits, with a lack of certainty about what it all means — it seems likely that the simplest answer isn't that someone affiliated with Trump or his campaign set up a backchannel method for contacting someone at Alfa Bank in Russia. It seems more likely that the human tendency for pattern-seeking is extracting a conspiracy theory from the automated clunkiness of the way the Internet works.

Naadir Jeewa does consulting work on precisely the sorts of systems involved in the Trump-Alfa scenario. When Foer's piece was published, he quickly tweeted a number of reasons that he was skeptical of the idea that this was somehow nefarious. (He has subsequently written out his thoughts.) Based in the United Kingdom, he spoke with The Fix by phone on Tuesday morning to explain his reasoning.

To understand what's likely happening, we need to establish a few basics. First of all, the Trump server wasn't really a Trump server. It was much less of a Trump email server, for example, than Hillary Clinton's email server was hers. Clinton had a physical server that hosted her email. The domain that Alfa was connecting to was hosted by a company called Cendyn. Cendyn runs marketing systems for the hospitality industry, meaning that it offers an out-of-the-box solution for a company that owns a bunch of hotels to push out sales pitch emails to its customers. In other words, isn't the email server Trump used to send emails from his closet. It was a domain name that linked back to a Cendyn server.

This is important for a few reasons. The first, Jeewa said, was that the was configured to reject a certain type of query from another server. Since its job was simply to push out thousands of enticements to come stay at Trump Soho (or whatever) it didn't need to receive many incoming requests (like incoming email). The second is that the conspiracy theory hinges on Trump's team using an offsite server hosted by someone else for its quiet communications with its Russian allies. Instead of, say, their own server, under their own control. Or an encrypted chat app. Or a phone call.

So why were the Alfa Bank servers communicating with in a rhythm that both seems to mirror human communication patterns and seems to have increased over the course of the campaign? To the latter point, the researchers looking at the traffic only began tracking communications in July, so everything's been within the context of the campaign. A graph created by the researchers seems "to follow the contours of political happenings in the United States," in Foer's words.

But it doesn't really. The biggest spike appears to have happened in early August — a point at which there was certainly a lot going on, but nothing particularly exceptional. This, too, seems more like pattern-seeking than a real correlation to events. (The question of when the communications occurred during the day is hard to evaluate, given the limited data we have available. It's worth remembering, though, that the seven-hour time shift between Moscow and the U.S. East Coast means that either we or they are at work for most of any 24-hour period.)

Jeewa notes that the type of requests the Alfa Bank servers were making were what's called an "A record lookup." (This is according to the files that have been made public, which, he said, could have been filtered to exclude other examples.) The domain name system relies on domain name servers (DNS), which act like a sort of Internet phone book. If you look up a business in a phone book, you'll see its main number, maybe a fax line, maybe some numbers for various departments. DNS look-ups work the same way: If a server wants to know how to contact, it contacts a DNS server to learn its number — not a phone number, but an Internet protocol (IP) address, which is a string of numbers allowing Internet traffic to find its destination. Domains, like the business in our phone book example, have different information available about how they can be contacted. An MX record provides a pointer to the domain's email system (think: fax number in the phone book). An A record is the main phone number, the IP address hosting the domain. It's probably the most basic type of domain lookup request. That's what Alfa Bank's servers appear to have kept requesting again and again.

Why? When an email is sent, the receiving server often checks to verify where it came from. To continue the analogy above, it's as though you got a call on your cell from a number, and the person said he was calling from Ace Electronics. You might look up Ace Electronics in the phone book and see if the phone number matched. Similar thing here: When an email came from, Alfa Bank's server likely checked the DNS system to get more information about the point of origin. Jeewa demonstrates that this is common practice by pointing out that one of the hacked Clinton campaign emails released by WikiLeaks includes an email from Cendyn's servers — and a request back from the recipient for more information. For some reason, it seems, the Alfa Bank servers keep asking for that A record over and over again.

One possibility is that the Trump system keeps sending out spam emails. Another is that the Alfa Bank server has a configuration issue. As Jeewa says in his write-up, "email systems are terrible." Email is a clunky, kludge-y way of passing text messages around the Web, and bugs can get introduced that cause weird behavior. It's far more likely in this case that the Alfa Bank servers are misfiring than that there's a secret communications system being used. Dyn — the DNS system that was attacked two weeks ago, crippling Internet connectivity — told a reporter from The Verge that it wasn't only Alfa that was looking up, suggesting that the server wasn't as secret as it seems.

Foer mentions in his piece that the New York Times was investigating the link. On Monday, the paper reported that the FBI had looked into and dismissed the idea that the two servers represented a secret communications channel. Investigators "concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts," the Times' Eric Lichtblau and Steven Lee Myers reported.

The campaign offered a statement to Foer. It read, in part: "The email server, set up for marketing purposes and operated by a third-party, has not been used since 2010. ... The Trump Organization is not sending or receiving any communications from this email server. The Trump Organization has no communication or relationship with this entity or any Russian entity."

After the Times started asking questions, the domain name changed, with Alfa Bank contacting the new email shortly afterward. This is offered by Foer as further evidence of a conspiracy, but Jeewa isn't sure. "All it looks like now is that their set up is like every other customers'," he said, meaning that the Trump system now fits the pattern of Cendyn's normal host-naming — or, more directly, that an old server used by one of Trump's companies was brought into conformance with Cendyn's other customers.

Why did the Alfa Bank server reach out to the new domain right away? It's not clear. Perhaps because the new server sent a test email, Jeewa said, and Alfa Bank was in the test group.

That's the thing about conspiracy theories. You can never answer all of the questions satisfactorily.