On Monday night, Slate’s Franklin Foer published a story that’s been circulating through the dark web and various newsrooms since summertime, an enormous, eyebrow-raising claim that Donald Trump uses a secret server to communicate with Russia. That claim resulted in an explosive night of Twitter confusion and misinformation.

The gist of the Slate article is dramatic — incredible, even: Cybersecurity researchers found that the Trump Organization used a secret box configured to communicate exclusively with Alfa Bank, Russia’s largest privately-held commercial bank. This is a story that any reporter in our election cycle would drool over, and drool Foer did:

The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server look-ups actually resembled the pattern of human conversation — conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.

These claims are based entirely on “DNS logs,” digital records of when one server looks up how to contact another across the internet. The logs, first gathered by an anonymous researcher going by the moniker “Tea Leaves” (an irony that should be lost on no one) and shared with a small group of academics, were provided to The Intercept and a handful of other news organizations. The New York Times, the Washington Post, Reuters, the Daily Beast, and Vice all examined these materials to at least some extent and did not publish the claims.

You can think of DNS like a phone book that maps people’s names to their phone numbers. For example, every time Alice wants to call Bob, she first looks up Bob’s phone number in the phone book, and then she dials the number into her phone. However, it’s possible that Alice might look up Bob’s phone number and not call him on the phone. It’s even possible that she might look up Bob’s phone number over and over on a regular basis, over the course of months, without actually calling him. The DNS look-ups that The Intercept and others (including Slate) reviewed are similar to records of Alice looking up Bob’s phone number in the phone book, but to call that evidence of sinister collusion between the two is, politely, a stretch. These DNS records alone simply cannot prove that any specific messages were sent at those times. In fact, they can’t really prove anything at all, and certainly not “communication” between Trump and Alfa. This cannot be overstated: No one, not Tea Leaves, not his academic peers, and not Franklin Foer, can show that a single message was exchanged between Trump and Alfa.

Inconsistencies

Putting aside how little there actually is to read in these tea leaves, the information we reviewed was filled with inconsistencies and vagaries. The Intercept (and other outlets) were presented with three documents: an academia-style white paper about the server, an analysis of that white paper, and a sprawling dossier on Alfa Bank. The author of the analysis paper refused to comment on the record or allow his name to be published. Both Tea Leaves and the analysis author said they did not know who wrote the other documents, and would not say how they obtained them. Professor L. Jean Camp, an esteemed computer scientist quoted at length in the Slate piece and also interviewed by The Intercept, said she knew the author of the Alfa Bank document — compiled with the exhaustive detail of a political oppo team, not a university researcher — but would not reveal who it was. Tea Leaves himself told The Intercept that he had to keep his identity and methods secret because “I run a cybersecurity company and I do not want DDOS and never have we been DDOS, nor do I want other attention.”

Looking at the documents themselves provided further oddities and errors. The white paper contends the following:

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank, i.e., Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health. There is absolutely no reason why Spectrum would want a Tor exit node on its system.

This is simply untrue and easy to disprove using publicly available information: The Intercept confirmed that the IP address in question, and all other IP addresses on Spectrum Health’s network, did not host a Tor node during the time period.

On Tea Leaves’ WordPress site, he claimed that “only two networks resolved the mail1.trump-email.com host.” This is contradicted by the very works of analysis furnished by Tea Leaves’ collaborators: The author of the white paper found that at least 19 IP addresses, all belonging to different networks except for the two that belong to Alfa Bank, had looked up Trump’s server. And these are only the 19 the author was able to observe in a short time period — it can’t be ruled out that there were many more, which quickly deflates the portrait of a shady Russian backchannel.

The white paper included DNS look-up data, but not nearly enough to reproduce the results. Rather than the 19 IP addresses we expected to see, the data only included three, and the DNS look-ups were not for the same time period that the paper described. Tea Leaves published a different set of data on the dark web, which we also looked at, but this set of data only included a total of four IP addresses. When we pressed Tea Leaves for the complete set of data so we could attempt to reproduce the analysis, he gave us a new, more comprehensive set of data, but still that included a total of only eight IP addresses, and it was missing an IP address belonging to a VPN service in Utah that accounted for a significant portion of the DNS look-ups described in the paper.

What percentage of DNS look-ups for Trump’s email server could Tea Leaves and his colleagues observe, out of all DNS look-ups for that server on the whole internet? How can they be sure that the majority of DNS look-ups for Trump’s email server originated from Alfa Bank, when much of the data they collected didn’t even include DNS look-ups from IPs described in their own paper? What’s their margin of error? None of the analysis that we (and other journalists) obtained answered these questions.

The Simplest Explanation

Although the Slate article mentions Occam’s Razor, Foer never actually takes seriously the simplest plausible explanation for all of this: The Trump Organization owns a bunch of expensive, obnoxious spam servers that churn out marketing emails for its expensive, obnoxious hotels. Spectrum Health, an entity in this story whose presence never made any sense, provided the following statement:

Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.

Spectrum also provided us with something not even Tea Leaves could: a copy of an email sent from the mail1.trump-email.com server. Did it contain a Cyrillic cipher? Not quite: