
Spam in Your Calendar? Here’s What to Do - feross
https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/
======
brongondwana
This has been something that we've been aware of as a threat in the industry
for a while:

[https://www.calconnect.org/news/2019/01/18/calconnect-
publis...](https://www.calconnect.org/news/2019/01/18/calconnect-publishes-
calendar-spam-best-current-practices)

I first spoken on a panel about it more than a year earlier than that, along
with some people from 1&1 who were very keen to see progress on at least
defining the risks!

But it's hard to get attention on fixing things, even in the big players
(maybe especially in the big players) until there's user impact.

It's also why, from the very first moment we added this feature in our system,
the default in Fastmail has been "only auto-add if it's from somebody in my
addressbook". And the "from somebody in my addressbook" test checks for DKIM
or SPF alignment.

We also allow turning auto-add off of course, or restricting it only to
senders in a particular named addressbook group.

~~~
daurnimator
I would be disappointed if I e.g. buy a plane ticket or a ticket to a show and
the event is not added to my calendar. (and you never know the email that a
show ticket will come from; so I can't add it to my address book)

As an alternative, could you just have it so if I mark an email as spam, any
calendar events from it are deleted from my calendar?

~~~
brongondwana
Luckily you can turn on "live dangerously" mode if you want - and besides the
email arrives straight to your mailbox (unless marked spam) and has a button
right there to add it to your calendar.

We think the default is the right balance for most people, and provide easy
knobs to adjust the settings if you want.

Right now marking the email spam doesn't find the related calendar events.
There's some design work to be done there around user interface when marking
emails as spam in bulk (particularly with support for undo and rolling back
the calendar changes which isn't as simple as just applying the attached event
again, because you may have updated the calendar event since)

~~~
zaarn
For events from spam emails that got updated, it might be worth to investigate
if you could ask the user; "You marked an email as spam but an event was
imported from it that you updated, Keep/Update/Delete?"

------
mcbuilder
With Google I recently had invites from emails sitting in my spam folder show
up in my calendar. You would think that being flagged as spam would be simple
to filter on. I actually really value the automatic adding of events to my
calendar from legitimate emails, so this was very infuriating as the spam
continued to pour in over weeks.

~~~
echelon
This recently started happening to me too! Spam emails with ical/calendar
attachments get loaded into my calendar even if they're appropriately flagged
as spam in my Gmail inbox.

It's especially annoying as the spammers create repeated alerts (often late at
night). I've wound up with dozens of these I have to manually clear from my
calendar.

All of this started a few weeks ago. Perhaps it was a regression rather than a
new exploit?

 _Google /Gmail engineers: please file this as a bug._

~~~
dannyking
Note that if in Google calendar you mark one of those events as spam, all the
recurring ones are automatically removed, whereas if you just delete one it
does not remove the others. There's a 'report spam' option (desktop only) in
the little drop down options when you open the event.

~~~
fromanator
I was so frustrated that reporting spam was desktop only. To add insult to
injury if you try to go to the web app on your Android phone in a desktop tab
it still opens the Android app instead. Since I was at work (and I don't login
to any personal accounts on my work laptop) I had to use Firefox mobile to
mark them all as spam.

~~~
masonic
The Gmail Android app has had "Report spam" in the 3-dot menu for a long time.

~~~
danielsamuels
Which is not what's being discussed here.

------
joshi4
For those that prefer a more visual guide, I've created one here:
[https://flowshare.io/flow/how-to-block-spam-invitations-
from...](https://flowshare.io/flow/how-to-block-spam-invitations-from-your-
google-calendar). It has a screenshot for every step(desktop) and less than 50
words in total.

~~~
chopete
Very concise. Btw, I see that you created this tool. It is a brilliant tool.
Just wish people would start using this tool to explain the steps instead of
writing them in ad filled/narrow column pages.

~~~
joshi4
Thanks ! Let me know if you run into any problems using the site

------
pimterry
Unfortunately, the google calendar option doesn't actually reject invitations
or really remove them from your calendar, it just hides them for _you_. If
you're sharing your calendar with anybody then they're still visible to them,
and as far as I can tell that's unavoidable.

That means if you are sharing you calendar you can't use this option, since it
makes it impossible to remove the events that are now spamming everybody else.
You have to just manually mark them as spam every time they appear. I get an
event like this maybe every other day at the moment, even though they're
almost all identical and I've reported them as spam, it's unbelievably
annoying. Even more annoying: gmail is actually picking up the invitation
email itself as spam, so it's fully aware that it's unwanted, but then it
appears in my calendar regardless. Gmail filters to delete them immediately on
arrival don't seem to do anything.

I'm right back to the spam dark ages right now, it's terrible.

~~~
flowersjeff
Oh boy, I didn't realize this and will need to check about this. I thought
that filtering would help, but if those folks that I've shared my calendar
with are seeing this weirdness....

Between this and the fact any joker can share a document with one's drive...
Making google hard to use for business.

I'm now deathly afraid to have any of these products opened when connected to
a projector/presenting...

------
kossTKR
How hard can it be to _not_ insert 30 events from mails that are clearly in
the spam folder already?

This issue is baffling to me. If Gmail knows it's spam why on earth are they
inserted. Also why inserting 50 events over 4 days suspicious in the first
place i don't know.

A "post mortem" would be interesting - why hasn't this been resolved in a
couple of days if the solution is that simple and it affects thousands of
users over many months?

~~~
grosswait
Couldn't agree more. Spam is assumed to be useless at best, if not outright
harmful. This is a vector that is easily shut down and should be ASAP.

------
hn_throwaway_99
I understand this is perhaps the only current solution, but for me this
definitely would not work. I actually _rely_ on seeing those un-responded
events in my calendar, especially for large group events.

I'd much prefer a "don't show un-responded invites _from people you do not
know_ " option.

------
flyGuyOnTheSly
>the calendar applications from Apple, Google and Microsoft are set by default
to accept calendar invites from anyone.

That's insanely dumb.

Why not at least limit calendar invites to contacts or contacts of contacts?

~~~
comboy
Contacts of contacts would be a privacy violation.

~~~
flyGuyOnTheSly
Who's privacy is being violated if a friend of a friend invites you to do
something?

The system in my mind wouldn't tell contacts of contacts "hey, did you know
you can invite this person that you've never met with the email@gmail.com that
you were previously unaware of (and knows Susy and John) via google calendar?"

It would just whitelist contacts of contacts, and would probably cut out 99.9%
of the spam with little to no impact on the user.

It's much less intrusive than Facebook saying "hey, these two friends of yours
know this person who is not your friend, do you know them?", at least.

~~~
function_seven
Let's say I'm in the closet, and GLAAD sends out an invite that lands on my
father's calendar. Hmmm, who among his contacts also has GLAAD in theirs?

I'm sure there are other scenarios. I don't want my contacts list being used
to filter email for other people in my contacts list. It's _my_ list. Not a
public web-of-trust thing.

------
wildrhythms
I had one of these show up in my Google Calendar, it was an every-day
reoccurring event. I opened the three dot menu on one of the events > Report
as spam, and it removed the event and all of its reoccurrences.

I shudder to think how many innocent people will see this and follow through
with the scam.

------
phpnode
I got a fairly explicit one of these in my calendar the other day,
unfortunately it's a calendar I share with my wife, so it appeared on her
phone too. That was a fun conversation.

Neither of us could delete the event, either via google calendar or ical. Nor
could I find the original email I assume it came from. In the end I just
deleted the whole shared calendar.

~~~
netghost
I had a similar experience, eventually I found the message in my spam folder.
It's ridiculous that messages marked as spam show up on the calendar, but now
we know.

------
prepend
I was hoping this was about the birthday spam notices in google calendar.
There’s no way to delete contact birthday info without deleting the contact.

For some reason Google thinks it’s cool that I’ve emailed “foo@gmail.com” at
some point in my life. Foo set their birthday in Gmail and now their birthday
shows on my calendar along with people I actually want.

------
adrianmonk
Google says they're working to fix an issue related to this:

From
[https://support.google.com/calendar/thread/13429505?hl=en](https://support.google.com/calendar/thread/13429505?hl=en)
:

> _We 're aware of the spam occurring in Calendar and are working diligently
> to resolve this issue. We'll post updates to this thread as they become
> available._

------
agustif
I get this shit all the time, followed a way to disable it on google calendar,
unsubscribed from all calendars, uninstalled calendar.app from iphone, and am
still getting 'em WTF!

Also mostly russian nonsense

------
dillondoyle
We saw this over the past couple weeks. It freaked me out and google's g suite
support was useless. I did report the IAM it looked like these invites came
from (to both the cloud fraud form and gsuite support) but maybe that listed
IAM is actually google's auto-add-to-calendar bot? I didn't think it made
sense to contact cloud enterprise support which tends to have awesome
responses.

I was concerned because:

    
    
      * we received more sophisticated than usual SPAM/phishing to our employees 'from' one of our partners around the same time
      * we work in politics
      * the timezone on the calendar spam was Russia and multiple staff received the spam invites

------
mbowcutt
Yep, I've been getting Russian events in my google cal that just reappear the
day after I report them as spam (which does what?)

Unfortunately, it's pretty inconvenient to just not show calendar events that
I haven't accepted. If you have a busy calendar, it can be helpful to
prioritize events - some will inevitably be declined or left hanging, but
those are useful to see.

It's pretty crazy that calendar invites that are already filtered out to my
spam email folder show up in my normal google calendar. Seems like a quick
solution for google to go fix.

------
deathhand
I have seen this now as a sales tactic, especially with EMC.

~~~
SteveNuts
I've had a lot of supposed "Enterprise" sales people at well known large
companies try to pull that.

They'll send a calendar invite and pretend it's a follow up to a meeting we
had. Yeah like I can't see through that bullshit. Immediate report as spam.

~~~
srtjstjsj
Smells like a CFAA violation to me.

------
dwighttk
They need to let you easily delete events without responding to them. I ended
up deleting them without (I think) responding but not until trying two or
three different ways which each insisted I had to reply that I wasn’t
attending. And now I’m not even sure how I did it and will probably have to
cycle through all those attempts again next time.

------
npmaile
My problem with this is that I have a russian event every night that only
shows up on my phone calendar. I did the fix to remove it from Google calendar
through the web, but it's only gone on the web. It still shows up on my phone
with no option to delete all.

I've been deleting the next 4 days every 4 days for the last two weeks.

------
WhiteSage
I recently had this problem in an old Samsung phone. The spam was not directly
coming from email, but from some other installed app which was somehow
tricking S planner (Samsung's calendar app) into adding the events to google's
calendar, even though the original spammer app had no calendar permissions.

------
guiporto
In my case, I had these spam-invites sent from my G Suite email to my personal
Gmail. I could see the emails on the Sent folder.

The weird part is that I had a strong password (1password) + 2-factor on both
accounts. I use FF with containers so I only use my email on a container and
nowhere else.

I had reviewed all the 3rd party apps and security settings on both accounts
and it all looked normal to me. The only issue is that I didn't had the SPF,
DMARC and DKIM setup - fixed after it.

I sent email to abuse@google but got no response.

------
phil9987
Important detail that Helene mentions in a comment: You should add that that
setting in Google Calendar is only available on desktop. I spent a while the
other day after getting one of these trying to find the setting on my phone.
It’s not there. The setting affects your phone too, just have to use your
desktop to change it.

------
nemetroid
I recently got an iPhone and had this issue for the first time ever, during
the first week of usage. It only showed up in the phone-local calendar, so I'm
guessing the phone picked it up from some e-mail that Google ignored as spam.

------
bjourne
Thank you for posting this. I also had spam showing up in my calendar and
feared that my Google account had been hacked. The spam even caused calendar
notification sounds to be played in the middle of the night! Worst Default
Setting Ever.

------
wastholm
I have on occasion thought that this kind of spam should be possible, but
never witnessed it, and then, while I was reading this very article, up popped
a reminder from Google Calendar about some iPhone that I had allegedly won.

------
ridaj
Are these attacks the result of mail programs auto-adding spammy email
invites, or of some hacking around with the kinds of features of calendar apps
that let you create events with attendees directly?

~~~
miguelmota
The article mentions that the calendar applications from Apple, Google and
Microsoft are set by default to accept calendar invites from anyone.

------
kull
For spam in google calendar you just turn off the option that is automatically
accepting incoming calendar invites.

------
xvector
It's bizarre that Calendar was set up to allow invitations from non-contacts
in the first place.

------
PhantomGremlin
I was hoping this would be about gettinng rid of events such as "Ashura" in my
iPhone calendar. Doubtlessly that day is important to a lot of people. But I
would prefer to simply have the US legal holidays, without all the other
stuff.

Apple are being real dicks about the all-or-nothing nature of these events.
Why can't we have some granularity as to the holidays we see in our Calendar?

~~~
dragonwriter
> Apple are being real dicks about the all-or-nothing nature of these events.
> Why can't we have some granularity as to the holidays we see in our
> Calendar?

Opposing customization in favor of a common consistent curated experience
based on Apple’s superior knowledge (especially compared to customers
themselves) of what customers want has been the Apple way for a long time.

~~~
kilo_bravo_3
It is easy to granularly manage holidays in calendar.app.

Step 1: Turn off default holidays calendar.

Step 2: Subscribe to calendar feed of your choice.

------
hendry
I'm struggling to invite friends my kid's birthday so that last-minute changes
are reflected.

No MUA is clear how they even parse ICS or "text/calendar" URLs.

[https://twitter.com/kaihendry/status/1167634464110825473](https://twitter.com/kaihendry/status/1167634464110825473)

This should be a standard!

------
baby
I started receiving these a few weeks ago :( I thought it must have been an
exploit somewhere.

------
kissgyorgy
I had this the other day, it was not trivial to find this setting to disable.

