Maybe the whole thing is nothing, or maybe it’s something, but that article leaps to some unwarranted conclusions about who controls the domain (or server). The information in a whois record as to who is the registrant and who is the admin are simply text fields that say nothing about who actually can control the domain, and even less about who controls the server (although there is often a 1 to 1 mapping, a server and a domain are not necessarily the same thing). Whoever has the login information can control the server. I can lease a server from a company on the internet and have more or less complete control over the configuration etc. regardless of who’s physically in possession of that server or what the whois record for a domain pointing at it says.
The fact that other companies have domains using Cendyn servers in the same address range is completely irrelevant to anything. That’s Cendyn’s business. It’s what they do.
That said, if I’m being objective, I’m having difficulty envisioning what damning super secret information could be being exchanged between that server and Alfa and why it wouldn’t be sent via more secure channels, especially given what we know about the NSA’s massive capabilities. Surely Putin and his cronies would be more sophisticated about this even if Trump wouldn’t be.
In any normal election year, this would be reported on 24/7 on all the networks. 2016 is weird. This simply confirms what we’ve all suspected about Trump, but for some reason Clinton’s email non-scandal is juicier? I really wonder about the intelligence of some of these TV station managers, why run yet another email story instead of this explosive Trump revelation?
That’s not entirely true. The Slate article I posted in the OP points out other connections, including:
The server is not currently being used by Cendyn. Once it started connecting to Alfa, it didn’t get used for anything else. It recieves incoming email from Cendyn, but it doesn’t send any. Cendyn itself is a company that handles marketing for Trump Hotels. It’s not an independent business.
(here’s the op link again, for convenience)
The researches in the Slate article found a spike in communications between Alfa bank and the Trump Tower server which coincided with notable events in the American political scene. For example, the largest spikes occurred before the debates.
I quoted this previously, but here it is again, and here’s a direct link to the graph (although it looks better if you go to the article and click on it):
The original Trump server address stopped working when the NYT stopped asking questions. Shortly after that, on September 27, someone in Trump’s camp set up a second DNS connection to Alfa bank, using the Trump name. Someone in Trump Tower, using Trump’s server name, was deliberately comminicating with Alfa Bank.
It might have been the janitor, sure, or it might have been the people who slap the Trump name on everything they touch, who are known to have connections to Russian money and who had previously rented a Trump Tower apartment to a Russian mobster.
So it’s not just one random DNS server name, it’s two, and there’s a record of activity in the last couple months that corresponds to both political activities and NYT investigative activities.
I agree that we can’t put a personal name to whoever was operating that server but I think it’s incorrect to just dismiss this as a one time event unconnected to the Trump family and their activities.
Sorry Merneith but I have to ask, how familiar are you with the Internet technologies involved?
The Slate article is utter gibberish technically.
I read it earlier but I’m just gonna quote some fragments from your post:
Already nonsense.
There’s a difference between:
whois records
DNS records
IP addresses
servers
The quoted sentence fragment already confuses those four technologies. It refers to a whois record. Nothing to do with a server, as such.
The whois was registered by a company called Cendyn. From publicly available info, you can see that they have hundreds of identical domain setups for many of their customers. They also own the name servers (and thus the DNS records) for all those domains.
Well sure. If you go the the DNS records, there’s an address record for IP address 66.216.133.29. That IP address belongs to a company called Listrak. You can whois, ping and traceroute it yourself to see that it responds normally for a server run by Listrac. One of the businesses of Listrac is e-mail campaigns.
I don’t understand this at all. It belongs to Listrac and loads of public info proves this.
They didn’t. They performed DNS queries which produce error messages. Still do right now.
They have DNS server logs from Cendyn’s nameservers for the “Trump” domain.
Those servers serve a large number of domains, so this is a filtered log.
It is utterly implausible for the two addresses mentioned to be the only sources of the DNS queries. (I can’t prove this, but my link says: “Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story – debunking it.”)
So the reasonable conclusion is somebody filtered those two DNS query sources out of the nameserver logs.
Those DNS queries will simply happen when a computer receives email from that domain. So it proves nothing.
Nobody even talks about the actual traffic between the machines. There’s no info presented about that.
The whose “russian bank” doesn’t even have anything to do with the story. (I completely reject the significance of your point 3, it’s not even coincidence, it’s absolutely nothing.) Their only connection to the story is that they have a computer that’s connected to the Internet (and likely, receives e-mail).
Slate has a long history of absolutely awful tech reporting. If you read something in Slate about computers, close the story and come back in 48 hours to see it properly reported (and often debunked) by people who actually know what they’re talking about.
I’m going to stop you right here and point out that for a guy who claims to be a computer whiz, your refusal to use simple bbc to attribute where each of quotes is coming from is a pain in the ass. Your insistence in focusing on sentance fragments raises questions about your writing skills as well.
You can thank me later for looking up all the context and attributions.
The full quote from the OP, of which Frankenstein monster quotes only the first words, is"
The server was first registered to Trump’s business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump.
The point, which Frankenstein Monster fails to address, is that the server belonged to and was used by the Trump Organization.
The precise steps taken by the domain web master to establish the server “registered”, whether with an ISP or with a Domain Name Server is irrelevant.
(And speaking of irrelevancies - whois information is generated when a server is established with a DNS, which associates the IP address to the server and links it to a domain name (the common whatever.com url). It’s not four separate registrations.
The researchers in the article had access to more than just a simple DNS lookup.
To quote from an earlier part in the article:
The researchers in the article were working from databases of internet traffic, created by people who work at the various DNS systems and from the ISPs themselves. This more info than you will find from a simple IP search.
Slate didn’t publish the full records of everything the researchers discovered during their investigation into the history of the server in Trump Tower, using the resources which I discussed in the paragraph above.
Slate is publishing an article about the research, not the research itself.
The researchers, operating here under the pseudonym, “Tea Leaves” are vouched for publicly and quoted extensively in the Slate article by Jean Camp, of Indiana University, Christopher Davis, of HYAS InfoSec, and DNS expert Paul Vixie.
I am not claiming to be an expert here. If you want to argue with an expert, that their findings are gibberish, take it up with Camp, Davis and Vixie.
“Pinging the server” is a common language expression for attempting to reach a remote server.
Note that actually “pinging a server” … is not the same thing as a DNS query. [Pinging [/query] is a network testing tool. It tests the connection between a computer (like, for instance, the one the researchers quoted in Slate’s article were using) and a remote server (like, for instance, the server in Trump Tower.)
OTOH, a DNS query is a look up to determine if a particular domain name is available online at a particular IP address. It’s a test of the domain name system heirarchy.
But who cares - the whole of the section from the Slate article, which you cut off, reads:
**
That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health. (The company said in a statement: “Spectrum Health does not have a relationship with Alfa Bank or any of the Trump organizations. We have concluded a rigorous investigation with both our internal IT security specialists and expert cyber security firms. Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.”)
Spectrum accounted for a relatively trivial portion of the traffic. Eighty-seven percent of the DNS lookups involved the two Alfa Bank servers. “It’s pretty clear that it’s not an open mail server,” Camp told me. “These organizations are communicating in a way designed to block other people out.”
**
The precise technique that the researchers performed is irrelevant to the article’s conclusion: that their results show that the Trump Tower computer was configured in such a way as to be used almost exclusively for communicating with Alfa Bank.
But as noted earlier, the researchers are operating with more than DNS tools and simple look ups.
I reread your article and don’t find it persuasive.
To begin with, your article quotes only anonymous sources that they have seen other email from the Trump Tower computer. The Slate article quotes three experts.
Your article tries to dismiss those experts, because each of them is quoted in conjunction with different things in the Slate article - and concludes that therefore, the experts don’t support the entire article. That’s not a safe conclusion.
Unless Vixie, Camp and/or Davis weigh in to explain that the Slate article does not represent their views fairly, I’m unmoved by Robert Graham’s dismissal of their statements to Slate.
Furthermore, the Slate article specifically states Vixie’s conclusions that the server at Trump Tower was designed similar to a clandestine server used by a criminal organization:
According to Paul Vixie, these computers were not simply receiving email spam.
I mean - I’ve quoted a bunch of people saying that the computer at Trump Tower and the computer at Alfa bank were connected. I’ve quoted them saying so and also their reasons for saying so.
Unless I Vixie, Davis or Camp retract, I consider the matter settled.
Perhaps the Slate piece was poorly written in terms of technical accuracy. And if you click on the byline, it is pretty obvious that the author is far from objective. But how does one account for the porphyria? That, when there seemed to be a threat of being brought out into daylight, the phantasm evaporated, only to resurface with a different name, then slink away when once again threatened with exposure? That single aspect of the story is what lends it a bit of weight.
I don’t think this thread and board is a good venue to continue our argument.
What I did was, I went to the “original research/accusation” which I believe is mirrored here. Then I went digging for myself with whois, ping, nslookup, traceroute, etc. The usual tools.
I stand by my conclusions. The data does not support the (scandal) accusation. Even with Merneith’s more complete quotes and context, a great deal of the conclusions are variously wrong/confused/gibberish, some of which I tried to explain.
ETA: As for those “experts”, I’m not questioning their credentials. I think most of them were not given the full info or context, or not given time to research, or were perhaps quoted incorrectly or selectively or out of context.
Bah, can’t leave this alone, since some of the facts are so plainly wrong. I’ll just take two.
Do we agree what they mean by “the computer at Trump Tower”?
I assume they mean the computer that responds at IP address 66.216.133.29.
Whois says that IP range is owned by Listrak.
Traceroute strongly suggests that it is physically located in a data center operated by Tierpoint and located in Pennsylvania.
Everything suggests that it is one of a large set of machines (whether real or virtual) set up by Listrak for email campaigns.
Or am I taking this “Trump Tower” too literally?
C:\WINDOWS\system32>ping 66.216.133.29
Pinging 66.216.133.29 with 32 bytes of data:
Reply from 66.216.133.29: bytes=32 time=111ms TTL=48
Reply from 66.216.133.29: bytes=32 time=114ms TTL=48
Reply from 66.216.133.29: bytes=32 time=114ms TTL=48
Reply from 66.216.133.29: bytes=32 time=110ms TTL=48
Ping statistics for 66.216.133.29:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 110ms, Maximum = 114ms, Average = 112ms
Tried this many times over the days. Never any error. Tried from two IP addresses.
This is why I thought they meant DNS queries when they said “they received error messages”.
As for the logs, I can only assume they refer to these:
10-May-2016 16:12:48 client 167.73.110.8 query: mail1.trump-email.com IN A + (66.216.133.29) 10-May-2016 16:12:48 client 167.73.110.8 query: mail1.trump-email.com IN A + (66.216.133.29)
11-May-2016 15:38:40 client 217.12.96.15 query: mail1.trump-email.com IN A + (66.216.133.29) 16-May-2016 01:22:00 client 167.73.110.8 query: mail1.trump-email.com IN A + (66.216.133.29)
16-May-2016 03:21:33 client 167.73.110.8 query: mail1.trump-email.com IN A + (66.216.133.29) 22-May-2016 05:41:43 client 217.12.96.15 query: mail1.trump-email.com IN A + (66.216.133.29)
24-May-2016 22:45:43 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29) 25-May-2016 22:47:14 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29)
25-May-2016 22:47:14 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29) 31-May-2016 08:29:38 client 217.12.96.15 query: mail1.trump-email.com IN A + (66.216.133.29)
31-May-2016 15:43:09 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29) 31-May-2016 23:48:05 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29)
These are DNS query logs. They do not show “communication with a server belonging to Michigan-based Spectrum Health”, from the “Trump” (Listrak) computer, by any normal understanding of that statement.
Anyway, all the info is out there for any technical person to see for themselves.
Frankenstein Monster and Merneith, I think we can all agree that the articles and other information that is publicly available has been short or vague on technical details. I think that it is important to remember that it is said this is a mail server. It behaves very oddly for a publicly available mail server (this probably won’t work from home for most people, most ISPs block port 25):
~$ telnet 66.216.133.29 25
Trying 66.216.133.29...
Connected to 66.216.133.29.
Escape character is '^]'.
521 lvpmta14.lstrk.net does not accept mail from you (XXX.XXX.XXX.XXX)
Connection closed by foreign host.
(Obfuscation mine)
I submitted nothing in that connection, no host identifier, no HELO or EHLO, no carriage return, nuttin. It at least exposed the host name it identifies itself by (which incidentally resolves to a different IP) in exchange.
As a sometime security admin who’s administered literally thousands of servers, that’s odd goddamn behavior for a publicly available mail server. From a security standpoint, if you’re not going to accept mail from me, why allow me to connect to the port at all and open yourself up to a potential exploit or denial of service? Just block it at the firewall and don’t let them waste your resources opening the connection in the first place. Let them waste their resources opening connections you are discarding without replying. If they’re big boys, or have hired them, they can just overload your connection if all they want to do is destroy you, but have the cut-off of what destroys you set as high as possible. If I weren’t worried about becoming part of the story (and almost certain more clever monkeys than I have started), I’d start trying to find out how poorly this box is set up just based on that.
Now, that doesn’t mean that it’s nefarious, but if it didn’t act this way before people started asking about the server: it implies that the operators got paranoid, but aren’t particularly careful or smart.
I will say that the authors saying the server was located in Trump Tower is wishful thinking. It might, but through the same technologies that make that possible, it could also be sitting in my living room in Texas (but I’m smart enough to put it in decent data center). However, it seems obvious that this server was associated with a Trump-controlled domain at some point.
But either way, since the info we’re getting is either incomplete or slightly incoherent, you might have to do your own research to make any headway on this story. Plus, even after they dumbed it down, it might contain too much inside baseball to be decipherable to the general public.
Good info scabpicker, and I have to say it certainly looks odd, but if a Russian interest wanted to secretly communicate with people in the Trump organisation this is a highly incompetent way to do it, setting up an open mail server that only accepts connections from certain IP addresses. Thats like painting a target on yourself.
Now while the Trump organisation may well be incompetent, I would expect the Russians to be more careful. Literally they would have been much better off using a freely available strong encryption solution like Photon Mail or Signal. Millions of people use these systems, so traffic analysis is difficult, and the math is solid, there is reason to believe that even the NSA cannot break these, but even if they can, the task of picking out the correct signals to decrypt out of the millions of people that use these services would be much harder than just monitoring a mail server with a fixed IP, packet sniffing it and throwing brute force at whatever you capture.
It’s true that I have not admined thousands of servers. I’m willing to let this go until more info appears. That said - I do think this warrants more investigation and I also think it would be reasonable for the FBI to pursue this with, say, half the concern they’ve put into other server-related investigations in which they did not just shrug and say, “oh, well, I’m sure this weird server has an innocent explanation.”
I was hoping that Ars Tech would say something more about this, too.
I don’t think it behaves oddly at all. I think it shows that that server is smartly and securely configured and that Listrak is a well run, competent operation.
What I think happens is that the SMTP server performs a reverse DNS lookup on the incoming connection and then perhaps further validations (e.g. DNS MX lookup, existence of SPF) on the incoming domain.
Those are smart security checks, very easy to code in the SMTP server but not so straightforward, if not impossible as firewall rules AFAIK.
I tried that telnet thing too, from two “plain” IP addresses (no PTR records), and I got the same results you did.
Unfortunately I don’t have shell access to any properly configured outgoing email server so I can’t try it out realistically. Anybody else?
I scanned through the election thread and found some brief notice taken of it, including one poster mentioning that he had recommended it to the editors. However, it seems like it might be too partisan for the ars news pages. They put up controversial content but it looks like they shy off partisanship. And Foer, the Slate author, looks like he has a toupée hair up his ass, so that kind of compromises the original story a bit.
I’m gonna throw one more thing out here. Didn’t notice it right away (since it’s such a target rich environment) but this really sets off my alarm bells. As in, somebody is really constructing cherry picked bits of data and using it to goad people into the scandal. Really pulling our leg, with malice aforethought - on purpose. Criminal intent. Dirty deeds, done dirt cheap!
Now I am the first one to note that whois info is not significant. Nobody puts accurate info in there, since it’s meaningless and it’s a real spam and scam magnet, among other reasons. I own a domain myself, and this it what I do. (These days, my registrar even does it for me automatically.)
Except…
There is one little piece of whois info that actually is important and significant.
Coincidentally, it’s just the little piece that was left out by the scandalmonger above and that proves the domain does NOT belong to Trump!
Due to an amazingly poorly thought out ICANN rule, you have to put in valid e-mail addresses into your whois records, and actually read those e-mails sent there. Otherwise, you risk losing your registration. (Almost happened to me.)
Now let’s have a look at the complete whois record for “Donald Trump”:
Domain Name: TRUMP-EMAIL.COM
Registry Domain ID: 1565681481_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2016-06-29T14:27:44Z
Creation Date: 2009-08-14T20:06:37Z
Registrar Registration Expiration Date: 2017-07-01T03:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Trump Orgainzation
Registrant Organization: Trump Orgainzation
Registrant Street: 725 Fifth Avenue
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 10022
Registrant Country: US
Registrant Phone: +1.2128322000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
**Registrant Email: emcmullin@cendyn.com**
Registry Admin ID: Not Available From Registry
Admin Name: Emily McMullin
Admin Organization: Cendyn
Admin Street: 1515 N Federal Highway
Admin Street: Suite 419
Admin City: Boca Raton
Admin State/Province: Florida
Admin Postal Code: 33432
Admin Country: US
Admin Phone: (561) 750-3173
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
**Admin Email: ssl.admin@cendyn.com**
Registry Tech ID: Not Available From Registry
Tech Name: Emily McMullin
Tech Organization: Cendyn
Tech Street: 1515 N. Federal Highway
Tech Street: Suite 419
Tech City: Boca Raton
Tech State/Province: Florida
Tech Postal Code: 33432
Tech Country: US
Tech Phone: +1.5617503173
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
**Tech Email: ssl.admin@cendyn.com**
Name Server: NS1.CDCSERVICES.COM
Name Server: NS2.CDCSERVICES.COM
Name Server: NS3.CDCSERVICES.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-11-01T10:00:00Z <<<
See the bolded e-mail addresses?
Now what would be the more obvious conclusion as to who controls the registration?
Dirty deeds and they’re done dirt cheap… Dirty deeds and they’re done dirt cheap…
