[update: 03/09/15 1824 MDT]
At this point, I consider Confluence Networks to be a dead-end with regards to the Clinton e-mails. Of course, it still remains a fascinating topic in and of itself, one I may get back to at some point. but not right now.
[update: 03/06/15 0756 MST]
I have a new article up, with fresh evidence that the clintonemail.com domain may have been run off a commercial web-hosting service rather than on a private in-home server. [ADDED] Also, since my updates are up front, it may help to scroll down to “BACK TO OUR ORIGINAL POST”, read from there to the end, then come back to the top, read the updates below, and then go over to my newest post.
[update: 03/05/15 0846 MST]
I just discovered that WordPress had somehow published last night an earlier version of this post without the MAJOR UPDATE below. My apologies to those who may have been confused thereby.
Possibly because of that, I have been getting e-mail asking about searching the MX records of the clintonemail.com domain and the use of MX Logic to help provide security, something which I did yesterday (due to feedback) and which I mention in this blog post. I have sent out more or less the same response twice to that question this morning, so I thought I’d post that response here.
First, I believe there have been other investigations that suggest that the use of MX Logic for incoming e-mail filtering was a later development in the life of the domain; that there are indications that an different e-mail security solution was tried first and likely found wanting. Absent fixed dates for these solution(s), it’s hard to determine what the security level was throughout the four years of Clinton’s service as SecState and her exclusive use of the clintonemail.com domain for all official communications. (Note that I do, in fact, mention MX Logic below and that it is an incoming e-mail filtering system.)
Second, and part of what got me started on this, was that I haven’t been able to independently confirm — and I’m not sure anyone outside of AP has — that an in-house server was in fact used (or used solely) for the clintonemail.com domain. Even my ‘major update’ below merely ties “Eric Hoteham” to the Clintons’ home address and the acquisition of eight static IP addresses nearly a year before the clintonemail.com domain was set up — and that one of those static IP addresses was associated with clintonemail.com for five months in 2010.
While that certainly is consistent with an in-home server (for at least those five months), it doesn’t prove it, and it does not explain the domain’s continuous association with two outside hosting firms (The Planet and Confluence Networks) for the entire duration of the domain’s existence. It is not as if Clinton is going to get truly massive traffic on this domain, seeing as how there appear to be only 2-3 people with clintonemail.com addresses, she’s not exactly publicizing the domain, and there does appear to be some filtering in place. So using an outside hosting service for DNS purposes alone doesn’t make a lot of sense — it’s just an added level of exposure. So I keep coming back to the question: was the e-mail server (or a front-end e-mail server) hosted for some period of time — and possibly the entire period of time — by an outside hosting firm?
In that context, I find it very curious — and significant — that nowhere in here have Clinton aides/friends, or Clinton herself, either confirmed or denied that there was — and was solely — an in-house server. The AP has not released details as to how it reached its conclusion there, and frankly their reporting has some ambiguous wording in it.
So, if in fact, mail to clintonemail.com was going to a server hosted by The Planet or (heaven forbid) Confluence Networks, even post-filtering, there is a very real on-site security exposure there, regardless of the use of MX Logic or other incoming e-mail filtering and exposure.
I’m leaving the rest of the post intact, but — thanks to Liz Kreutz at ABC News — I’ve finally found information that ties clintonemail.com to a static IP address connected to “Eric Hoteham” and the Clinton’s home address in Chappaqua.
What I wasn’t getting from DomainTools.com was a DNS history for the domain (d’oh!). Liz sent me a link to DNSHistory.org (sigh), which gives the following information for clintonemail.com:
The window is small — just 5 months in 2010 — but it shows that DNS was resolving at least during that period to the IP address 126.96.36.199.
Now, if we use DomainTools on that IP address, we get the following whois information:
IP Location United States United States Chappaqua Eric Hoteham ASN United States AS6128 CABLE-NET-1 - Cablevision Systems Corp. (registered Dec 31, 1969) Resolve Host ool-18bbeabb.static.optonline.net Whois Server whois.arin.net IP Address 188.8.131.52 ... CustName: ERIC HOTEHAM Address: 15 OLD HOUSE LN City: CHAPPAQUA StateProv: NY PostalCode: 10514 Country: US RegDate: 2008-02-01 Updated: 2011-03-19 Ref: http://whois.arin.net/rest/customer/C01876138
This shows that ‘Eric Hoteham’ registered for this IP address in February 2008, eleven (11) months before the clintonemail.com domain was created. (And, yes, the 15 Old House Lane address is the Clintons’ home.) If we look up the whois link in the last line, we find the same information for Eric Hoteham. And if we look at this link, it appears that Eric actually received a range of 8 consecutive static IP addresses (184.108.40.206 through 191).
However, this still doesn’t tell us that this IP address was for a dedicated server at the Clintons’ house, though it suggests it. More digging needed.
BACK TO OUR ORIGINAL POST
[UPDATES: I’ve inserted some more screenshots, more stuff on Confluence Networks, a discussion on e-mail filters, etc.]
First, many thanks for the feedback that I’ve gotten from a number of sources that have added to or clarified what I’ve been looking at, including Fred Nixon, John Hagala, Andy (@TheH2) and Daniel Lee (DaninMN) at Ace of Spades, my co-blogger Bruce Henderson, Joe Gomez, and at least two sources that would like to remain anonymous.
OK, we all know about the news stories that have broken in the past few days about (a) Hilary Clinton using a private e-mail address (domain: clintonemail.com) to conduct all State Department business during her time as SecState, and (b) the allegations this morning about her private e-mail address being run off a server in her home in Chappaqua.
The question about (b) is that this was reported by AP, but I have yet to find any independent confirmation of what they claim. All other articles that cite the mysterious Eric Hoteham (who may actually be Eric Hothem), his signing up the 15 Old House Lane address in Chappaqua for internet service, and his use of the same PO Box as the Clinton Foundation tax returns all point back to the AP article.
I have spent time most of today doing my own sleuthing on the web and am coming up with some very different answers — but intriguing ones, nevertheless.
First, I have found a reference to “Eric Hoteham” over at WebBoar.com, but in relation to the domain wjcoffice.com. It even includes a map showing the location of a server in Chappaqua, though the location appears to be generic center-of-town; the Clinton residence is about 3/4 mile northeast of the red marker, near where you see the creek pass under Bedford Road, while the actual location on the map is a small retail center with two restaurants and a Walgreens:
Now, as for the ‘clintonemail.com’ domain — DomainTools.com tells me quite a few things about it, but tells a different story.
First, others have noted, the domain was created on January 13, 2009. The original point of contact for the domain was Justin Cooper, presumably the senior advisor to Bill Clinton. He continues to be the contact for the domain until June 15, 2014, when point-of-contact is switched over to Perfect Privacy LLC, a firm out of Florida specializing in keeping domain ownership information confidential.
[UPDATE 03/04/15 1923 MST]
A number of people have very helpfully pointed out the need to examine MX records with regards to clintonemail.com; after the first suggestion, I did so myself, and others have sent me their own results. It points to MX Logic in Colorado for incoming mail and — as is clear from the MX Logic website — this is merely filtering the e-mail, not providing the actual e-mail server.
But it’s the hosting/IP information that’s curious. According to DomainTools, clintonemail.com has had two unique IP addresses during its existence.
On Jan 19 2009 (six days after the domain was created), DomainTools gives it an IP address of 220.127.116.11 and shows it as being hosted by ThePlanet.com, a Houston-based web hosting firm that would later (November 2010) merge with SoftLayer, which in turn (June 2013) would be bought by IBM.
However, nearly three years after the domain was created — that is, on Dec 22, 2011 — the hosting IP address changes to 18.104.22.168, which is hosted by Confluence Networks — and this is where we start down the rabbit hole.
Confluence Networks has a remarkably primitive, uninformative, and unhelpful website that includes misspellings and shows a copyright date of 2012. I’ll reproduce it here in its fullness:
Yep, that’s it. This is the website of the firm that (according to DomainTools.com) has hosted clintonemail.com for over 3 years. But wait! It gets better. According to whois records, Confluence Networks has a business address in…the British Virgin Islands:
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
Note carefully that the registration date for Confluence Networks as an organization is April 7, 2011 — predating the switchover of clintonemail.com by only 8 months. So this is not some long-established, well-known firm. Note also that the contact numbers for tech support and abuse reports are both in the United States. I did a (paid) reverse lookup on the tech support number (via Intellius) and got a report that the (415) number is owned by Media.Net Advertising FZ-LLC:
This appears to be this firm: http://www.media.net/aboutus. Said firm appears to be based out of Dubai. This strongly suggests that Confluence Networks is owned by, or at least closely tied to Media.Net Advertising FZ-LLC.
Information about Confluence Networks Inc is remarkably hard to come by, but I ran across this mention of it — and its business relationship with Network Solutions — in a June 2013 article in SecurityWeek by Rod Rasmussen. Key excerpts:
This June, thousands of domains were moved; everything from mom-and-pop shops to huge Internet properties like LinkedIn, Fidelity, Craigslist, Yelp and even the US Postal Service (USPS). The domains started resolving to a so-called “parking” page on the Web, and then with the crush of traffic, stopped working at all. Email, DNS provisioning and other services tied to those domains also started resolving to an oddball network out of the US Virgin Islands—this sent the security community into frenzy as you might think. . . .
. . . Speculation about what happened revolves around a seeming partnership Network Solutions has with a company in the U.S. Virgin Islands called Confluence Networks Inc. to transfer expired domains to them. . . .
So, according to internet records, clintonemail.com was hosted by a British Virgin Island-based firm (Confluence Networks Inc) that itself appears to be tied to and/or run by a Dubai-based firm (Media.Net).
[UPDATE 03/04/15 1727 MST]
Confluence Networks gets even more interesting. Thanks to someone who has done a lot of digging on CN, here’s a display of offshore companies that appear to be directly associated with the address and PO Box listed for Confluence Networks. If you click on the circles, you will get expanding connections. It appears that an organization named New Haven Group now uses that PO Box (a switch that appears to have happened last November), but all the on-line records I can find for Confluence Networks still have the VBI address. The same contact has found an address and phone number for Confluence Networks in Austin — and it appears to be the same address as one of Data Foundry’s data centers. There are other indications as well that the Confluence Networks physical hosting may actually be in Austin, Texas — which is at least a better location than the indications that the server was in the British Virgin Islands.
[UPDATE 03/04/15 2157 MST]
Meanwhile, Gerry Daly (@GerryDales) over on Twitter used Archive.org to look up earlier versions of the Confluence Networks web page. The tech phone number there is based in India; searching on that phone number gets us to this page, which claims (in comment #39) that Confluence Networks is based out of the United Arab Emerates (UAE), with tech support out of India.
[UPDATE 03/07/15 0816 MST]
Confluence Networks has responded, denying that it ever hosted the clintonemail.com e-mail server itself, but was merely a parking place (on behalf of Network Solutions) for the ‘Coming Soon’ page that and a million other domains.
This does not strike me an appropriately secure hosting solution for the official e-mails of the United States Secretary of State. If, in fact, they were hosted there. So far, I have not seen any denials about the Clintons hosting their own e-mail server in their own home. But it’s curious that I get a far different answer when searching.
Let’s chase down the rabbit hole a bit more. Who owns the domain name “confluence-networks.com”? We do know that’s the correct domain, since it’s given in the whois information:
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-223-2606 OrgNOCEmail: firstname.lastname@example.org OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
Well, as it turns out, that domain name itself was registered — on April 7, 2011 — using a registration privacy organization:
Registration Service Provided By: RESELLERCLUB Contact: +1.4152361970 Website: http://www.resellerclub.com Domain Name: CONFLUENCE-NETWORKS.COM Registrant: PrivacyProtect.org Domain Admin (email@example.com) BPM 90035, 34, Parc d'Activite Syrdall Note - All Postal Mails Rejected, visit Privacyprotect.org Munsbach null,L-5365 LU Tel. +45.36946676 Creation Date: 06-Apr-2011 Expiration Date: 06-Apr-2012
In case you’re having trouble parsing the information, let me help you: it is a “parcel station” (think PO Box) address in Munsbach, Luxembourg. I will note, however, that six months after the initial registration by Privacy Protect of confluence-networks.com, Privacy Protect changes its contact address:
Registrant: PrivacyProtect.org Domain Admin (firstname.lastname@example.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676
Now it’s in Nobby Beach, Queensland, Australia, but the phone number has stayed the same. And as far as I can tell, the phone number is from Denmark.
To summarize: according to DomainTools.com, the domain clintonemail.com has been hosted by Confluence Networks since 12/22/2011, more than three years. Confluence Networks, based out of the British Virgin Islands, has only existed as a domain (confluence-networks.com) since April 2011, appears to be closely related to a Dubai-based media advertising firm, and has always had its domain name managed by PrivacyProtect.org, a registration privacy firm that lists addresses out of Luxembourg and Australia, but gives a phone number apparently out of Denmark, and that shows up repeatedly in connection with fraud, scam, and spam-related domains.
No, no questions or issues there. More as I dig it up. ..bruce..
[Here are all posts related to the Clinton e-mail issue.]
About the Author (Author Profile)Webster is Principal and Founder at Bruce F. Webster & Associates, as well as a Partner at Ironwood Experts. He works with organizations to help them with troubled or failed information technology (IT) projects. He has also worked in several dozen legal cases as a consultant and as a testifying expert, both in the United States and Japan. He can be reached at email@example.com, or you can follow him on Twitter as @bfwebster.
Sites That Link to this Post
- Monday Wash Day Blues …. | Be John Galt | March 5, 2015
- Low Popahirum, March 5, 2015 | The Hayride | March 5, 2015
- Rabbit Hole News: State Dept’s Private Email Usage Policy, Plus Attn: State/OIG – Firecracker Coming Your Way « Diplopundit | March 6, 2015
- Where is (or was) the Clinton e-mail server? : And Still I Persist… | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted | International American Council | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … | Smart Press Release | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted | Bain Daily | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … – Fox News | Motor parts shopping | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … – Fox News | Garden Design Mart | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … – Fox News | Baby Health Market | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … – Fox News | SweetPetsSupply | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted | Conservative News | March 6, 2015
- SECURITY CONCERNS IT pros question if Clinton’s email was vulnerable | Trending Topic | March 6, 2015
- SECURITY CONCERNS IT pros question if Clinton's email was vulnerable | Country Connections | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted - AllNews24 | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted | TKG News | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could … | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have … – Fox News | You Buy Computers | March 6, 2015
- ‘How secure could it have been?’ IT crowd questions if Hillary email could have been targeted – Getonews – best news for you | March 7, 2015
- Physical security of the Clinton e-mail sever : And Still I Persist… | March 10, 2015
- No, we still don’t know where the Clinton server is, was, has been : And Still I Persist… | March 12, 2015