So this is a graph of a portion of the DNS lookup date, where Alfa bank computers (red and blue) and a Spectrum computer (green) were looking up "mail1 dot trump-email dot com".
Each row is one day, sliced into two minute slots, and each bar is the number of lookups in that slot.

I'd previously done plots like this in black and white without differentiating between the source machine. One thing that jumps out at me is the two Alfa Bank systems are acting as if they are a single machine.

They may literally be the same machine, with two assigned IP addresses. Or they could be a pair of machines acting in some synchronized way.

Realizing they're either the same or acting together affects my previous theories on the data. It is now plausible that we are seeing the side-effects of some caching somewhere of the DNS data, preventing lookups more often than hourly.

But it's not a perfect fit. If an application was cacheing, there would likely be one single lookup, which the process would remember for the lifetime of the process. No bars would be taller than 1 unit.

If the DNS system were caching these values, everything after the first second or two should have been cached and those lookups shouldn't have occurred. But some of these bars involve lookups spread out across 20 seconds or more. A DNS cache should kick in faster than that.

The biggest problem with seeing hourly spikes because of cache is the suggestion that countless other lookups are being masked. Most of the bursts come immediately after the hour expires, which suggest near constant lookups are happening but only reaching the DNS servers hourly.

But it's not always exactly an hour gap and sometimes it's much longer than an hour gap, by five or ten minutes, often, and sometimes much longer. This suggests traffic that is coming at a very high rate, and then shutting off entirely for a while (if we are assuming caching).

Figuring out the caching is kind of critical because it will mean the difference between human traffic and data synchronization. Humans don't communicate on an hourly clock, but data synchronization often does.

But also, the round-the-clock nature to me also suggests that we're seeing automation, not cacheing. Human beings sleep.

One intriguing fact that may not be immediately obvious: after the increases in lookups around August 4, almost all of the lookups are coming in groups of 6, or factors of 6 lookups. I'm not sure why.

Here's more of the data leading up to this. The traffic doesn't become really steady until June 24th. This is the day after Brexit, and Trump travelled to Scotland.

I should also point out the correlation between the Spectrum (green) system, and the Alfa Bank (red and blue) systems. While the Alfa Bank systems are clearly strongly linked and acting as one, Spectrum lookups are not in synch with them at a minute-by-minute level.

But in terms of general trends, they are definitely correlated. When Alfa Bank lookups increases late on August 2rd, so do Spectrum lookups.

Claims that these are misconfigured systems going over old mail data are clearly not correct. Some new event has coordinated activity.

Now the claim is that this system that was named mail1 dot trump-email dot com had not sent out any Trump mass mailings since March 2016. Otherwise you could imagine that new mail being generated could be a coordinating event.

I also have to take the people who collected this data at their word that it represents a useful portion of all DNS lookups of this server. That is, a spam event should lead to massive lookups from many of servers, not just two.

And no one has come forward that I know of with any spam that includes trump-email dot com in its headers after March 2016.

I realized I should give a more basic description of what DNS lookups are and what this data could mean.
A "Domain Name Service" (DNS) lookup finds information about host names. The most common example would be "What is the address of example.com"?

And the most common cases for looking up a host name is that you want to connect to that host. Like looking up a person's house address because you want to go there. In the previous example, if you click on the example domain name, your browser will do a DNS lookup to connect.

So the strongest possibility is that Alfa Bank and Spectrum were looking up the trump email server address so that they could connect to it. But not the only possibility.

If you are receiving a connection, you may often want to do a reverse (PTR) DNS lookup. That is, I have this connection from 8.67.53.09 and I want to know who it is, so I do a reverse lookup to find it points to jenny.example.com.

That's not what these logs are, but in some (not common but not rare) cases, you may want to do a circular lookup. That is, after you've done a reverse lookup, you may want to check if the forward lookup goes back to that same address.

The forward and reverse lookups are not required to match (in general) and often don't. But certain applications may want them to match it as an extra layer of security.

So theoretically, if there was a connection from mail1.trump-email.com to the alfa bank servers, and they were expecting a trusted connection from there, they might want to double check that it was really coming from there...

So the second possible reason for doing a DNS host name lookup is as part of a circular lookup to closely scrutinize an incoming connection.

However, I have to think that if these security experts could see forward lookups, they could see reverse lookups too and would have told us about that. So not only it is a less common lookup reason, there should also be evidence. This is not likely the situation.

A third reason for looking up a host name is because you received that name in some other context (i.e. not from an incoming IP address) An example of this would be a spam check on email headers.

Email is sent with a lot of hidden data about how the email was transmitted, and Trump's spam had text in it like "Received-by: mail1.trump-email.com". Software that processes incoming email might want to check all such header addresses to see if any point to blacklisted IPs.

But as I said earlier in this thread, this system was allegedly not used for any Trump email since March 2016.

So the most likely scenario is that these computers were looking up this name repeatedly so they could make repeated network connections to that machine. For, like, a zillion different possible reasons.

I should also point out that it's entirely possible there were connections in both directions, and the security experts only had accesses to DNS lookups related to trump's domains. I haven't heard any statements about whether they would have been able to see Alfa Bank lookups.

How they got access is an open question. But the most likely answer is one that would probably exclude their having access to Alfa Bank, and could exclude their access to Spectrum Healthcare lookups.