"This email confirms your recent Evernote password change.
If your Evernote password was changed without your knowledge, then please click the link below to change it again:"
And big "Reset Password" button.
A bit funny as they just told me to never click on something like that.
Personally, I probably cut people a bit of slack by going through whois to check if the domain belongs to some well-recognized mass mailer, but I wouldn't blame the MUA for just spamming anything that mentions a "login" along with a domain that isn't a descendant of the sender's domain.
1. User clicks http://links.example.com/?redirect=example.com/reset_passwor...
2. The server running on links.example.com makes a request to the third party web server
3. The server redirects the user to http://example.com/reset_password
Not that I'm particularly a fan of either practice, but there's probably some use cases there that would have to be accounted for in some way that the 3rd party service could accommodate.
I agree that neither approach is ideal, but it would prevent users from receiving third party links in their emails.
1) Silverpop doesn't have an option to disable tracking for specific links included in emails sent from their system or
2) The person creating the email failed to take advantage of this feature.
If Evernote wanted to take advantage of this feature on purpose in order to determine what percentage of their userbase has reset their password, then I'm baffled why they decided to trust a 3rd party lead management system instead of the updated_at fields in their database.
Either way, the whole point of purchasing Silverpop is that you can avoid having to code your own solution.
Better yet, simply point your DNS "passwordreset.evernote.com" to the same server.
If the user requests (from a link in the mail) "mkt5371.evernote.com/foo123", redirect to "links.evernote.mkt5371.com/foo123"; If they request "/bar456?id=asdask", redirect to the same query under the mailer's domain.
It was fairly well written, but I swore it was an elaborate phishing scheme. Here is an example of one of the URLs they used:
Now looking back, it's clear they were simply using a redirect URL to track clicks, but I had no clue. You can't even go to cmail4.com without getting an error and no description about what the service is.
Luckily, I had the evernote app sign me out and asking me to login again (which didn't work with my old password).
I had to login through the website and it prompted me to change my password (no link on why) and then it worked with the new password.
I searched through my email trying to see if any email got eaten by the spam folder, but none, "No emails".
Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links were the bogus, phishing-esque URLs that the OP complains about.
As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all the links point to http://evernote.com.
So at least somebody at Evernote did notice (or read this post or respond to similar complaints), and correct the situation in the middle of their 50,000,000-user email campaign.
HTH is J. Random User supposed to figure out that mkt5371.com is a service hired by evernote.com? A minimally alert user would click the Report Phishing button upon mousing over.
By including a link that happens to do the right thing, Evernote is conditioning its users to succumb to phishing in the future.
But I initially assumed it to be ballsy phishing, a brazen attempt to capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing. Sheesh!
I hovered over it, saw that it was to evernote, but hovers can be faked, and my intuition and experience told me that this smells like phishing no matter what. Sheesh.
This raises the question of how to educate users. I think we may be confusing them. I don't know about everyone else, but I teach non-technical people not to trust emails that ask you to reset your password when you didn't initiate the action. I always teach, as many of us do I think "don't click links in emails unless you know the sender personally or have requested the link" but then in cases like this we have to go back on that statement and say "well this time it's okay" and while we have really good and logical reasons for why, I don't think we can expect non-techies to understand it. To them it sounds like a contradiction, like "don't click links in emails except when I say it's okay". Then even if you teach people to check where the links are going (good luck) you've got to also teach them about domains, subdomains, and maybe even query strings. It's just a huge mess and I'm at a loss for how to educate people when it comes to a situation like Evernote's regardless of having link tracking or not.
Also, their password reset letter comes from something like
firstname.lastname@example.org. I usually disregard everything like this automatically. Luckily reset link is planetside2.eu.
The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?
Not to mention the fact that lots of 'personal information' is not in fact private, e.g. date of birth (one of my financial accounts uses date of birth), mothers maiden name, social security number, etc.
Is anyone working on such a thing?
(While I'm thinking of it, wordpress.com's password reset should be shot. I get several emails a day because it allows resets by username instead of email or username+email. This whole password issue needs some better minds assigned to it.)
To your point, as long as straight SMTP is involved, there will always be a gaping hole. But, sending https links is a very cheap way to prevent making the hole even bigger.
Anyway, all of this underscores the fact that virtually nothing that Evernote did was secure. But, most companies probably wouldn't have done much better.