Tea Leaves and his colleagues plotted the data from the logs on a timeline. What it illustrated was suggestive: The conversation between the Trump and Alfa servers appeared to follow the contours of political happenings in the United States. “At election related moments, the traffic peaked,” according to Camp. There were considerably more DNS lookups, for instance, during the two conventions…

The Times hadn’t yet been in touch with the Trump campaign—Lichtblau spoke with the campaign a week later—but shortly after it reached out to Alfa, the Trump domain name in question seemed to suddenly stop working. When the scientists looked up the host, the DNS server returned a “fail” message, evidence that it no longer functioned. Or as it is technically diagnosed, it had SERVFAILed. (On the timeline above, this is the moment at the end of the chronology when the traffic abruptly spikes, as servers frantically attempt to resend rejected messages.) The computer scientists believe there was one logical conclusion to be drawn: The Trump organization shut down the server after Alfa was told that the Times might expose the connection. Nicholas Weaver told me the Trump domain was “very sloppily removed.” Or as another of the researchers put it, it looked like “the knee was hit in Moscow, the leg kicked in New York.”

Four days later, on September 27, the Trump organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route. When a new host name is created, the first communication with it is never random. To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server. “That party had to have some kind of outbound message through sms, phone, or some non-internet channel they used to communicate [the new configuration],” Paul Vixie told me. The first attempt to look up the revised host name came from Alfa Bank. “If this was a public server, we would have seen other traces,” Vixie says. “The only look-ups came from this particular source.”