Who is 'Tea Leaves'? What is TRUMP-EMAIL.COM? Who is Cedyn?

Today, a story that was popular a few months ago got new life: According to several sources, a hacker named 'Tea Leaves' found that there was a computer server (TRUMP-EMAIL.COM) in Trump Tower connecting to a Russian bank called Alfabank.

Now, CNN and others are reporting that the FBI is actively investigating this issue. There are several major players that they might look into -- who are they?

Who is 'Tea Leaves'? What is this mysterious server TRUMP-EMAIL.COM? And who is Cedyn, the company that the domain name is registered to? Let's take a look.

Who is 'Tea Leaves'?

According to Slate, there was a computer hacker who was part of a hacker collective named 'Tea Leaves' who discovered this scheme.

The article says that 'Tea Leaves' is one of a group of the "most trusted DNS specialists -- an elite group of malware hunters who work for private contractors [and] have access to nearly comprehensive logs of communication between servers."

The latter statement is almost certainly false -- there is no such thing is a comprehensive log of communication between servers on the Internet.

'Tea Leaves' appears to be a DNS (domain name system) specialist, who somehow has access to historical DNS queries.

What does this mean? Essentially, when you enter a URL in your browser (like cnn.com) your computer performs a DNS query from a DNS server which tells your computer where cnn.com is (its IP).

Because DNS is a distributed system, there's really nobody who has a comprehensive log. Servers at all levels in the system cache (store temporarily) DNS queries.

It appears that the claim then is that 'Tea Leaves' has access to an authoritative DNS server is queried for TRUMP-EMAIL.COM.

This would be really hard to get access to, but whoever controls those servers does have it. Every time someone queries that particular DNS server, a log entry is written, which Slate claims 'Tea Leaves' has access to.

What is TRUMP-EMAIL.COM? Connection to Alfabank and Spectrum Health?



TRUMP-EMAIL.COM is the name of the server that is allegedly connecting to Russia. According to a hacker named Krypt3ia, TRUMP-EMAIL.COM is a server that is supposed to be a mail server but hardly receives any mail volume at all.

It is IP restricted to only listed to specific servers -- one of which appears to be the Alphabank server in Russia. Here is the record for TRUMP-EMAIL.COM:

Domain Name: TRUMP-EMAIL.COM
Registry Domain ID: 1565681481_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2016-06-29T14:27:44Z
Creation Date: 2009-08-14T20:06:37Z
Registrar Registration Expiration Date: 2017-07-01T03:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Trump Orgainzation
Registrant Organization: Trump Orgainzation
Registrant Street: 725 Fifth Avenue
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 10022
Registrant Country: US
Registrant Phone: +1.2128322000
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: [removed]@cendyn.com
Registry Admin ID: Not Available From Registry
Admin Name: [Removed]
Admin Organization: Cendyn
Admin Street: [Removed]
Admin Street: Suite 419
Admin City: Boca Raton
Admin State/Province: Florida
Admin Postal Code: 33432
Admin Country: US
Admin Phone: [Removed]
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: ssl.admin@cendyn.com
Registry Tech ID: Not Available From Registry
Tech Name: [Removed]
Tech Organization: Cendyn
Tech Street: [Removed]
Tech Street: Suite 419
Tech City: Boca Raton
Tech State/Province: Florida
Tech Postal Code: 33432
Tech Country: US
Tech Phone: [Removed]
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: ssl.admin@cendyn.com
Name Server: NS1.CDCSERVICES.COM
Name Server: NS2.CDCSERVICES.COM
Name Server: NS3.CDCSERVICES.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-11-01T01:00:00Z 

The record shows that TRUMP-EMAIL.COM was registered by a company called Cedyn, and they are responsible for it.

It is owned by the Trump Organization. The Name Servers (NS1.CDCERVICES.COM, etc) are what 'Tea Leaves' would need to have had access to (their logs) in order to get any information about who was connecting to TRUMP-EMAIL.COM.

Then Who is Cedyn?

Cedyn is the company that appears to have set up/manage the computer. According to Krypt3ia, Cedyn does customer relationship management IT for hotels.

Krypt3ia claims that 'Tea Leaves' posted the logs from the Name Servers (above), and those are what show the connections to Alphabank. However, these logs could potentially have been doctored, so it's hard to prove that they are correct.

Krypt3ia says he did research on Cedyn and said this: "Cedyn is the name of the company and in their business history you can see how maybe a connection can be made to Russia." However, we could not find such a connection separately.

What is Interpacket Gap?

So how do we know if the logs 'Tea Leaves' had were authentic? According to the Slate article, they could not be faked by even the most skilled analyst due to "interpacket gap".

What is that? It is the time between Internet packets (small pieces of information) are sent. But how does this relate to DNS? It's unclear.

Wanna read more on this? Check these out: MSNBC Guest: DHS Asking Travelers If They Like Trump Before Letting Them Enter (Watch) (more); Can We All Finally Agree That 'Do No Evil' Is BS? Tech CEOs Buddy Up To Trump (Opinion) (more); New White House Staffer Omarosa Takes Nasty Personal Shot At Joy Behar On 'The View' (Watch) (more); Opinion: Why Should Barron Trump Be Off-Limits When Donald Thinks Nothing Is Off-Limits? (more).

And here are some more related articles: Watch Trump Flunkie Kellyanne Conway's Creepy Comedy Bit (more); Could Trump Pass A Fourth Grade English Class? Let's Find Out... (more); Why Does It Take Trump 17 Minutes To Write One Sentence? (more).

A few more: What Happened To All The Women Who Accused Trump of Sexual Assault? (more); The "Fake News" Disaster: How The Clinton Team's Ego Is Killing Journalism (more).