Sunday, April 1, 2007

The White House email controversy: who runs GWB43.COM?

Who runs GWB43.COM?

It turns out that GWB43.COM is managed by a domain name server located at SMARTECHCORP.NET and another at TRESPASSERS-W.NET. We wanted to confirm that GWB43.COM was, in fact, the RNC domain we'd seen discussed, so we also did a "whois" lookup on GWB43.COM. A whois lookup is the Internet's way of telling you who owns the domain. As Figure B shows, GWB43.COM is owned by the RNC (the Republican National Committee).


GWB43.COM is owned by the RNC. (click for larger image)

Interestingly, the administrative and technical contacts for the GWB43.COM domain show as an email address on the RNCHQ.ORG domain. Finance guys follow the money. We geeks follow the domains. So, who runs the RNCHQ.ORG domain? As you can see in Figure C, the domain name servers are again SMARTECHCORP.NET and TRESPASSERS-W.NET.


RNCHQ.ORG also uses the same two domain name servers. (click for larger image)

Clearly, we've confirmed SMARTECHCORP.NET and TRESPASSERS-W.NET as operators of the RNC domains.

Our next step was to find out who operates the GWB43.COM email server.

What do we know about the GWB43.COM mail server?

Email servers are identified to other email servers by what are called MX (or Mail Exchange) records. Each server that gets email has an MX record that's managed by the domain name server. So, our step was to identify the MX record for GWB43.COM, which we did, as shown in FIGURE D.


Now we know where mail goes when it's sent to GWB43.COM. (click for larger image)

Now we know where mail goes when it's sent to GWB43.COM. It goes to one of two servers: MAILSCAN1.SMARTECHCORP.NET and MAILSCAN2.SMARTECHCORP.NET. So, once again, we bump into SMARTECHCORP.NET.

Before we delve into further into SMARTECHCORP.NET or the GWB43.COM email server, it's important to understand some of the inherent limitations of our research. As you well know, email goes in and email goes out. The only thing public Internet records can show us is where a message first goes when it leaves an email client and it's headed for GWB43.COM.

Whether the email lands at the first server, the publicly facing one according to the network records, or is stored and then forwarded on, is something we can't see from the outside. So we can't tell if Karl Rove or another member of the President's staff is accessing incoming mail directly off these SMARTECHCORP.NET servers.

Likewise, if someone with a GWB43.COM email address sends an email, that email might travel through the server we find, or it might go through a completely different path. We can't tell that specifically from public records.

But we can find out a little more about MAILSCAN1.SMARTECHCORP.NET and MAILSCAN2.SMARTECHCORP.NET. Figure E shows an SMTP (Simple Mail Transport Protocol) session, connecting with MAILSCAN1.SMARTECHCORP.NET.


This is a Postfix server. (click for larger image)

The key piece of information is in the banner field of the session. The key word there is "Postfix", which is the name of a well-respected open-source email server program. We did a test on MAILSCAN2.SMARTECHCORP.NET and got exactly the same results.