How not to send password reset notification email

In their Security Notice they write "Never click on 'reset password' requests in emails — instead go directly to the service". And after I changed my password I received confirmation email saying<p>"This email confirms your recent Evernote password change.<p>If your Evernote password was changed without your knowledge, then please click the link below to change it again:" And big "Reset Password" button.<p>A bit funny as they just told me to never click on something like that.

This is more generic: if you do link tracking in your email, do it through your own domain, it's really not that hard, and urls that go through some other business are a huge red flag.<p>Personally, I probably cut people a bit of slack by going through whois to check if the domain belongs to some well-recognized mass mailer, but I wouldn't blame the MUA for just spamming anything that mentions a "login" along with a domain that isn't a descendant of the sender's domain.

Three years ago, 37signals wrote an email saying all users would have to pick new user names and passwords (I guess changing to a single sign in across all apps).<p>It was fairly well written, but I <i>swore</i> it was an elaborate phishing scheme. Here is an example of one of the URLs they used: <a href="http://37signals.cmail4.com/t/y/l/uiulli/kkulljtjr/d" rel="nofollow">http://37signals.cmail4.com/t/y/l/uiulli/kkulljtjr/d</a><p>Now looking back, it's clear they were simply using a redirect URL to track clicks, but I had no clue. You can't even go to cmail4.com without getting an error and no description about what the service is.

I didn't even get the email from evernote regarding the password reset.<p>Luckily, I had the evernote app sign me out and asking me to login again (which didn't work with my old password). I had to login through the website and it prompted me to change my password (no link on why) and then it worked with the new password.<p>I searched through my email trying to see if any email got eaten by the spam folder, but none, "No emails".

Just an interesting tidbit I noticed: I received several of these mails from Evernote, as I have multiple accounts (including some I set up for others).<p>Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links were the bogus, phishing-esque URLs that the OP complains about.<p>As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all the links point to <a href="http://evernote.com" rel="nofollow">http://evernote.com</a>.<p>So at least somebody at Evernote did notice (or read this post or respond to similar complaints), and correct the situation in the middle of their 50,000,000-user email campaign.

Couldn't Evernote just use a CNAME record on a subdomain that pointed to mkt5371.com? I know that's how the SendGrid click tracking app keeps the links on your domain (<a href="http://sendgrid.com/docs/Apps/click_tracking.html" rel="nofollow">http://sendgrid.com/docs/Apps/click_tracking.html</a>)

Quite moronic of Evernote.<p>HTH is J. Random User supposed to figure out that mkt5371.com is a service hired by evernote.com? A minimally alert user would click the Report Phishing button upon mousing over.<p>By including a link that happens to do the right thing, Evernote is conditioning its users to succumb to phishing in the future.

I got a reset message from Evernote, and I didn't even remember that I had an account. I must have tried it for my typical 30 seconds to conclude "meh" and moved on, then forgot it. I'm still not 100% sure what they do beyond ... note taking?<p>But I initially assumed it to be ballsy phishing, a brazen attempt to capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing. Sheesh!<p>I hovered over it, saw that it was to evernote, but hovers can be faked, and my intuition and experience told me that this smells like phishing no matter what. Sheesh.

Great points and something I've been studying and trying to perfect myself for my own service. So while I couldn't agree more with the author's position, I think the unfortunate reality is that there's only a very small minority of users who would know any better anyway. It's mostly just people like us would know better. Everyone else would just click because there are no spelling or grammar errors and the email is branded properly.<p>This raises the question of how to educate users. I think we may be confusing them. I don't know about everyone else, but I teach non-technical people not to trust emails that ask you to reset your password when you didn't initiate the action. I always teach, as many of us do I think "don't click links in emails unless you know the sender personally or have requested the link" but then in cases like this we have to go back on that statement and say "well this time it's okay" and while we have really good and logical reasons for why, I don't think we can expect non-techies to understand it. To them it sounds like a contradiction, like "don't click links in emails except when I say it's okay". Then even if you teach people to check where the links are going (good luck) you've got to also teach them about domains, subdomains, and maybe even query strings. It's just a huge mess and I'm at a loss for how to educate people when it comes to a situation like Evernote's regardless of having link tracking or not.

worst cases of emails I have gotten are from Sony. For example, Planetside 2 beta acceptance letter came from info@e-sonyonline.com and without ANY personal information. It was the most generic official letter I have received. Link to download PS2 was also from link.e-sonyonline.com. I disregarded it first, only after a while, discovering it was genuine. And a lot of people are having doubts about this aadress, just google it.<p>Also, their password reset letter comes from something like contact@p7s1games.net. I usually disregard everything like this automatically. Luckily reset link is planetside2.eu.

Offical email should <i>never</i> include links (unless it's signed, but what is?), the potential for trouble is just too great. I had this exact same problem back in 2003 from a financial company. I wrote them a serious email telling them just how dangerous it is to teach your users that it's OK to click on links that don't even go to your domain in random emails. I even showed them how easily I could create a phishing site.<p>The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.

I also hate when unsubscribe from spam is on a different domain than the business, using a 3rd party email/marketing company. And I hate how "enter your email to confirm unsubscribing" is pretty common.

I was disappointed by this headline. After resetting my Evernote password this morning, I was looking forward to reading about a new technique that would allow me to avoid password resets in the future. Oh, well.<p>Is anyone working on such a thing?<p>(While I'm thinking of it, wordpress.com's password reset should be shot. I get several emails a day because it allows resets by username instead of email or username+email. This whole password issue needs some better minds assigned to it.)

Should also be using SSL so querystring is encrypted.