Jump to content

(Archived) Forwarding from Gmail to Evernote has a HUGE Privacy/Security Issue

Recommended Posts

If you set up a filter on gmail to forward specific emails to your Evernote account, and that forward fails on the Evernote end = Evernote will return the email TO THE ORIGINAL SENDER! ... not to you.  This is a huge security and privacy issue.  This happened to me recently with a business client that I was forwarding emails from to keep all his business communications in one place.  I had some serious explaining to do when HE received notice from MY Evernote account that the forward had failed.  Beware when using this highly promoted 'feature.'


Here is the explanation from Evernote Support:


 I do apologize for the inconvenience. We have examined the emails received, and it appears that what is happening is expected behavior of Evernote.

When a user emails into the Evernote @m.evernote.com address, and it fails, that user will receive a bounce message. Your mail forward appears to be forwarding the original message, leaving the original "reply-to" as the person who sent the message. Therefore, if there is a failure notice to be sent, it will go to the person who sent the message to you originally. You would need to rewrite your forward somehow to change it so that your reply-to email is yourself, and not the original sender, for this behavior to change.


As this is not something that we can configure in Evernote Support, I regret that I will be unable to assist you further.


Link to comment

Can you let me know where on our website we're telling people to set up gmail filters? I didn't realize we were telling people to do that, but I'll make sure we get something posted to it if we are.

Link to comment

From Evernote employees? Or from other users telling you how *they* set it up? This is a public, lightly moderated (for bad language, spam and advertising, mostly) user forum, and users do share their own tips and tricks on how to use the software here. This is different from Evernote, the company, publicly promoting something though.

Link to comment

Really?  This is your response?  You are clearly avoiding the real issue by questioning a very minor side issue with me the messenger.  Address the REAL issue that I've pointed out ... 






I'm done with this diversion.  Please address the real issue = under certain circumstances Evernote will send unauthorized emails from my account to users who would not normally even know about my account.  If you knew this was the case, it would have been right and proper for you (when I say you, I mean Evernote) to warn users in the multiple discussions about email forwarding here on the forum.  Instead, as I've pasted above, employees have promoted it.  


Please stick to the real problem.  


Thank you!  

Link to comment

As I mentioned, this is a user forum, for users- I had run a search and found many places where users were talking about gmail filters, but I had not found the post by Daniel himself. I'll ask him to clarify his post is about forwards and not redirects.


I have not found any of our marketing materials that mention this though.  I can't find any mention where we have published this as a use-case for users to do.


As you saw in the response from our support team, this isn't actually a *problem*, this is by *design.*


It seems like you have not set up a *forward* but a *redirect*. You need to fix the way your filter is set up so that the reply-to is *you* and not the original poster, or the bounce message will go to them. 


What you're doing right now is redirecting (or diverting) the original email and moving it into your Evernote mailbox. Instead, if you had set up a forward, it would be changing the "from" to your address, and not the original sender.


Think of it this way: When you file a Change of Address with the Post Office, your letters are redirected to you without making it to the original location, and some letters are not forwarded because they say "Post office: Do not Forward". Those are "Returned to Sender", with the notice that you've moved, rather than you receiving the notice that you had any mail at all. If you simply asked your neighbor to pick up your mail and send it to your new house, it would be coming from your neighbor's address, and you'd get everything, and no one would realize anything happened.


There's the difference. 


It *is* most certainly a security issue, but not one on our end.

Link to comment

The fact that you don't view this as a security issue on your end is very telling.  My account is with you.  Your relationship is with me.  When ANY activity happens in a non-normal way with my account, my expectation is that you would communicate that issue with me ... not with someone who is unknown to you and potentially unknown to me.  

Link to comment

There are a few issues that are at cross purposes here.




We are limited in our ability to contact users directly. ((I am not a lawyer. Nothing I say here can be construed as such. Read our ToS for exact clarification on exactly when and how we can contact you.)


The @m.evernote.com address is a user's to do with what they will. It is not specifically tied to the email address on an account. Any email address that is *not* the one on your account would therefore fall under your "any activity happening in a non-normal way", as its someone that isn't you sending something into your account.


Taking those two things into account, the only possible "fix" we could put into place would be to lock down the m.evernote.com address so that you could only email into it from the address you have on file on your account, as we certainly couldn't cc the user on file in addition to the person who emailed in whenever there was a mismatch.


I would be happy to file that as a feature request, but I believe that the majority of users would backlash against it pretty quickly, as they like the flexibility of being able to email in from anywhere.

Link to comment
The @m.evernote.com address is a user's to do with what they will. It is not specifically tied to the email address on an account.


Nonsense.  The m.evernote address is most definitely tied to my Evernote account ... and my private email address is most definitely tied to my Evernote account.  Therefore the m.evernote account is tied to my private email account.  


Listen - I've pointed out the problem, it's up to you how to respond to it. (Actually, your response is coming through to me as a user loud and clear.)  I would suggest at the very least, you should point out to the many users who use gmail filters with your service, that this is a potential security issue.  It sounds like you knew this was a potential issue before I pointed it out ... so I'm disappointed with the absolute silence on this issue on YOUR forums.  (Ya I know, you try to make it sound like you have no control in the forums, but the very fact that you've jumped on this thread so quickly leads me to believe that is not true either.)

Link to comment
  • Level 5*

The fact that you don't view this as a security issue on your end is very telling.  My account is with you.  Your relationship is with me.  When ANY activity happens in a non-normal way with my account, my expectation is that you would communicate that issue with me ... not with someone who is unknown to you and potentially unknown to me.  

The problem seems to be that although you have an account and relationship with Evernote, you've now introduced a third party to mediate your relationship with Evernote, in this case GMail. I'm not an email guru, but as I read it, the valid response to a mail failure is to send a bounce message back to the message's return path. If your forwarding rule doesn't reset to reply-to address to your Gmail account, it's going to go back to the original sender. The behavior makes sense; and evidently Evernote's mail server for the m.evernote.com domain behaves that way, too. If you could configure GMail to do that, then your problem would be solved (I tried, but couldn't see any way to do so, though; doesn't mean that I didn't miss something). Alternately, you might be able to configure a service like IFTTT or Zapier to perform that task (I use Zapier to create notes directly in my Evernote account for certain email domains, avoiding the email bounceback problem altogether).


I'd agree that there should be some documentation for the behavior, probably in the Knowledge Base. Expecting Evernote employees to point it out each and every time someone mentions using gmail auto-forwarding in the forums seems beyond the pale, but directing people to the Knowledge Base article (provided it's written) wouldn't hurt either. I'll leave it for heather to tease out what Evernote can and cannot do vis-a-vis contacting customers with respect to the m.evernote.com doman; she's far more qualified than I am (I'm not an employee), and way better connected.


Meanwhile, you know the problem, and you may have the means to fix it, if you care to poke into Zapier or IFTTT. I've used both of these some, and may be able to provide some tips if you want to try them out.

Link to comment

You have pointed out some issues with your third-party, non-Evernote-y workflow, and I've explained why, technically, this has occurred. This is not an Evernote issue, it is a mail server/routing issue.


I'm truly sorry that my explanations have been inadequate in that regard. I have tried to come at it from different angles, technical and non, so that this would make sense.


Perhaps there is someone else who can better explain the issue than I can.

Link to comment

I fully understand everything you've said Heather.  Once we got you on track and addressing the actual problem, you've been very clear why it happened (which I already knew from the information received from support), and you've been very clear in emphasizing that Evernote will not address this potential problem on their end, but will leave it to users to both find out and then attempt to solve themselves.  No need try to find someone else to dumb down your message for me ... thanks.

Link to comment

We'll look into providing some documentation on this to make rerouting clear.  Again, this is something we don't have meaningful control over, but putting some wording in an article about forwarding v rerouting could be something we could do for anyone who may be concerned.  Sort of a general PSA.  Closing.

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...