Hacker News new | past | comments | ask | show | jobs | submit login
Spam in Your Calendar? Here’s What to Do (krebsonsecurity.com)
275 points by feross 17 days ago | hide | past | web | favorite | 73 comments

This has been something that we've been aware of as a threat in the industry for a while:


I first spoken on a panel about it more than a year earlier than that, along with some people from 1&1 who were very keen to see progress on at least defining the risks!

But it's hard to get attention on fixing things, even in the big players (maybe especially in the big players) until there's user impact.

It's also why, from the very first moment we added this feature in our system, the default in Fastmail has been "only auto-add if it's from somebody in my addressbook". And the "from somebody in my addressbook" test checks for DKIM or SPF alignment.

We also allow turning auto-add off of course, or restricting it only to senders in a particular named addressbook group.

I would be disappointed if I e.g. buy a plane ticket or a ticket to a show and the event is not added to my calendar. (and you never know the email that a show ticket will come from; so I can't add it to my address book)

As an alternative, could you just have it so if I mark an email as spam, any calendar events from it are deleted from my calendar?

Luckily you can turn on "live dangerously" mode if you want - and besides the email arrives straight to your mailbox (unless marked spam) and has a button right there to add it to your calendar.

We think the default is the right balance for most people, and provide easy knobs to adjust the settings if you want.

Right now marking the email spam doesn't find the related calendar events. There's some design work to be done there around user interface when marking emails as spam in bulk (particularly with support for undo and rolling back the calendar changes which isn't as simple as just applying the attached event again, because you may have updated the calendar event since)

For events from spam emails that got updated, it might be worth to investigate if you could ask the user; "You marked an email as spam but an event was imported from it that you updated, Keep/Update/Delete?"

I have the opposite problem. So many times I buy a ticket and there is not a single "add to calendar" button.

I don't even ask for an auto-add. Just a button. But apparently this is one of the most forgotten feature ever.

Either devs don't think about it, or they tested it and it confused the non tech-saavy users so much they decided against it. I can imagine the later very well, though. My mother would click and the setup for a calendar she doesn't have would start, loosing her the process.

Everything old is new again.

From 2012, the first(?) time this was a widespread issue on the web: https://www.theverge.com/2012/6/29/3126837/google-plus-event...

and Google has been enduring calendar spam for years beyong Google+: https://support.google.com/calendar/forum/AAAAd3GaXpE5kUOfyI...

With Google I recently had invites from emails sitting in my spam folder show up in my calendar. You would think that being flagged as spam would be simple to filter on. I actually really value the automatic adding of events to my calendar from legitimate emails, so this was very infuriating as the spam continued to pour in over weeks.

Same. I had to turn off the feature. It's rather unprofessional to have a meeting for (and this actually happened) a $15 blowjob on my calendar. I mean, I guess there are some illicit businesses that, being very time conscious, plan and slot such things in detail. But it's still the sort of thing I expect Google to catch, especially when the email is already in the spam folder.

This recently started happening to me too! Spam emails with ical/calendar attachments get loaded into my calendar even if they're appropriately flagged as spam in my Gmail inbox.

It's especially annoying as the spammers create repeated alerts (often late at night). I've wound up with dozens of these I have to manually clear from my calendar.

All of this started a few weeks ago. Perhaps it was a regression rather than a new exploit?

Google/Gmail engineers: please file this as a bug.

Note that if in Google calendar you mark one of those events as spam, all the recurring ones are automatically removed, whereas if you just delete one it does not remove the others. There's a 'report spam' option (desktop only) in the little drop down options when you open the event.

I was so frustrated that reporting spam was desktop only. To add insult to injury if you try to go to the web app on your Android phone in a desktop tab it still opens the Android app instead. Since I was at work (and I don't login to any personal accounts on my work laptop) I had to use Firefox mobile to mark them all as spam.

> To add insult to injury if you try to go to the web app on your Android phone in a desktop tab it still opens the Android app instead.

If you long-press the "Desktop" link and "open in new tab", the webapp will be opened in the browser and not in the Android app.

The Gmail Android app has had "Report spam" in the 3-dot menu for a long time.

Which is not what's being discussed here.

Had this happen to me just recently, too. I was super surprised that spam invites showed up on my calendar by default!

Wonder if it was something going around, and maybe Google has already fixed it. Hasn't happened again, fingers crossed.

I can also confirm this as it happened to me yesterday in my Gmail account.

For those that prefer a more visual guide, I've created one here: https://flowshare.io/flow/how-to-block-spam-invitations-from.... It has a screenshot for every step(desktop) and less than 50 words in total.

Very concise. Btw, I see that you created this tool. It is a brilliant tool. Just wish people would start using this tool to explain the steps instead of writing them in ad filled/narrow column pages.

Thanks ! Let me know if you run into any problems using the site

Even with detailed screenshots for this, the number of steps would be mind boggling for an average web user.

BTW, could you please create a Firefox extension for your site? I see that you only have a Chrome extension.

what would you change to make it easier for the average user ?

That was a criticism of the platform settings being complex to follow since the options are scattered across a few different screens. Google should be the one to make it easier for the average user, if it desires to.

That's a very cool tool, congrats. :)

Thanks !

I have my own slack, just for me. I ise it to have all my calendar invites go to a cal channel...

Can you write up that?

Then all peoples cals can go to their personal slack regardless of source

Unfortunately, the google calendar option doesn't actually reject invitations or really remove them from your calendar, it just hides them for you. If you're sharing your calendar with anybody then they're still visible to them, and as far as I can tell that's unavoidable.

That means if you are sharing you calendar you can't use this option, since it makes it impossible to remove the events that are now spamming everybody else. You have to just manually mark them as spam every time they appear. I get an event like this maybe every other day at the moment, even though they're almost all identical and I've reported them as spam, it's unbelievably annoying. Even more annoying: gmail is actually picking up the invitation email itself as spam, so it's fully aware that it's unwanted, but then it appears in my calendar regardless. Gmail filters to delete them immediately on arrival don't seem to do anything.

I'm right back to the spam dark ages right now, it's terrible.

Oh boy, I didn't realize this and will need to check about this. I thought that filtering would help, but if those folks that I've shared my calendar with are seeing this weirdness....

Between this and the fact any joker can share a document with one's drive... Making google hard to use for business.

I'm now deathly afraid to have any of these products opened when connected to a projector/presenting...

How hard can it be to _not_ insert 30 events from mails that are clearly in the spam folder already?

This issue is baffling to me. If Gmail knows it's spam why on earth are they inserted. Also why inserting 50 events over 4 days suspicious in the first place i don't know.

A "post mortem" would be interesting - why hasn't this been resolved in a couple of days if the solution is that simple and it affects thousands of users over many months?

Couldn't agree more. Spam is assumed to be useless at best, if not outright harmful. This is a vector that is easily shut down and should be ASAP.

I understand this is perhaps the only current solution, but for me this definitely would not work. I actually rely on seeing those un-responded events in my calendar, especially for large group events.

I'd much prefer a "don't show un-responded invites from people you do not know" option.

>the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

That's insanely dumb.

Why not at least limit calendar invites to contacts or contacts of contacts?

Yeah, accepting anonymous invites is dumb.

I definitely don't want my email application looking at my contacts' contacts, though. That would leak information. And would only work within the same provider.

Contacts of contacts would be a privacy violation.

Who's privacy is being violated if a friend of a friend invites you to do something?

The system in my mind wouldn't tell contacts of contacts "hey, did you know you can invite this person that you've never met with the email@gmail.com that you were previously unaware of (and knows Susy and John) via google calendar?"

It would just whitelist contacts of contacts, and would probably cut out 99.9% of the spam with little to no impact on the user.

It's much less intrusive than Facebook saying "hey, these two friends of yours know this person who is not your friend, do you know them?", at least.

Let's say I'm in the closet, and GLAAD sends out an invite that lands on my father's calendar. Hmmm, who among his contacts also has GLAAD in theirs?

I'm sure there are other scenarios. I don't want my contacts list being used to filter email for other people in my contacts list. It's my list. Not a public web-of-trust thing.

Alice makes a new account and adds Bob to her contacts. Alice sends herself many invitations with spoofed From headers. The ones that get through are Bob's contacts. Bob's privacy was violated.

It's a privacy violation because it leaks who's in your contact's contact list to you.

I personally really appreciate having stuff like restaurant reservations, trains, planes, hotels etc being automatically added to my calendar (which tend to come from no-reply addresses).

I also haven't had seen any spam invites, presumably since Apple's thing is smart enough to ignore email in the spam folder?

There is no way to know the contacts of your contacts. Email isn’t Facebook.

I had one of these show up in my Google Calendar, it was an every-day reoccurring event. I opened the three dot menu on one of the events > Report as spam, and it removed the event and all of its reoccurrences.

I shudder to think how many innocent people will see this and follow through with the scam.

I got a fairly explicit one of these in my calendar the other day, unfortunately it's a calendar I share with my wife, so it appeared on her phone too. That was a fun conversation.

Neither of us could delete the event, either via google calendar or ical. Nor could I find the original email I assume it came from. In the end I just deleted the whole shared calendar.

I had a similar experience, eventually I found the message in my spam folder. It's ridiculous that messages marked as spam show up on the calendar, but now we know.

One of the problems with the suggested solution in the article is that it doesn't apply to other people's view of your calendars - so my partner had an event from my calendar clogging her view but I couldn't see it to remove it!

Weirdly enough, I had an easy "Mark as spam" button on iCal as well as in Google Calendar. I never needed to turn off the auto-event feature because it went away when I marked one as spam.

I wonder if you got a different type of spam than I did.

The awesome part is the steps you take to make it not show up on your own calendar don't actually make it go away. It's still there and will appear for people you share the calendar with.

I was hoping this was about the birthday spam notices in google calendar. There’s no way to delete contact birthday info without deleting the contact.

For some reason Google thinks it’s cool that I’ve emailed “foo@gmail.com” at some point in my life. Foo set their birthday in Gmail and now their birthday shows on my calendar along with people I actually want.

Google says they're working to fix an issue related to this:

From https://support.google.com/calendar/thread/13429505?hl=en :

> We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available.

I get this shit all the time, followed a way to disable it on google calendar, unsubscribed from all calendars, uninstalled calendar.app from iphone, and am still getting 'em WTF!

Also mostly russian nonsense

We saw this over the past couple weeks. It freaked me out and google's g suite support was useless. I did report the IAM it looked like these invites came from (to both the cloud fraud form and gsuite support) but maybe that listed IAM is actually google's auto-add-to-calendar bot? I didn't think it made sense to contact cloud enterprise support which tends to have awesome responses.

I was concerned because:

  * we received more sophisticated than usual SPAM/phishing to our employees 'from' one of our partners around the same time
  * we work in politics
  * the timezone on the calendar spam was Russia and multiple staff received the spam invites

Yep, I've been getting Russian events in my google cal that just reappear the day after I report them as spam (which does what?)

Unfortunately, it's pretty inconvenient to just not show calendar events that I haven't accepted. If you have a busy calendar, it can be helpful to prioritize events - some will inevitably be declined or left hanging, but those are useful to see.

It's pretty crazy that calendar invites that are already filtered out to my spam email folder show up in my normal google calendar. Seems like a quick solution for google to go fix.

I have seen this now as a sales tactic, especially with EMC.

I've had a lot of supposed "Enterprise" sales people at well known large companies try to pull that.

They'll send a calendar invite and pretend it's a follow up to a meeting we had. Yeah like I can't see through that bullshit. Immediate report as spam.

Smells like a CFAA violation to me.

Who would want to do business with a company willing to betray trust like this?

They need to let you easily delete events without responding to them. I ended up deleting them without (I think) responding but not until trying two or three different ways which each insisted I had to reply that I wasn’t attending. And now I’m not even sure how I did it and will probably have to cycle through all those attempts again next time.

My problem with this is that I have a russian event every night that only shows up on my phone calendar. I did the fix to remove it from Google calendar through the web, but it's only gone on the web. It still shows up on my phone with no option to delete all.

I've been deleting the next 4 days every 4 days for the last two weeks.

I recently had this problem in an old Samsung phone. The spam was not directly coming from email, but from some other installed app which was somehow tricking S planner (Samsung's calendar app) into adding the events to google's calendar, even though the original spammer app had no calendar permissions.

In my case, I had these spam-invites sent from my G Suite email to my personal Gmail. I could see the emails on the Sent folder.

The weird part is that I had a strong password (1password) + 2-factor on both accounts. I use FF with containers so I only use my email on a container and nowhere else.

I had reviewed all the 3rd party apps and security settings on both accounts and it all looked normal to me. The only issue is that I didn't had the SPF, DMARC and DKIM setup - fixed after it.

I sent email to abuse@google but got no response.

Important detail that Helene mentions in a comment: You should add that that setting in Google Calendar is only available on desktop. I spent a while the other day after getting one of these trying to find the setting on my phone. It’s not there. The setting affects your phone too, just have to use your desktop to change it.

I recently got an iPhone and had this issue for the first time ever, during the first week of usage. It only showed up in the phone-local calendar, so I'm guessing the phone picked it up from some e-mail that Google ignored as spam.

Thank you for posting this. I also had spam showing up in my calendar and feared that my Google account had been hacked. The spam even caused calendar notification sounds to be played in the middle of the night! Worst Default Setting Ever.

I have on occasion thought that this kind of spam should be possible, but never witnessed it, and then, while I was reading this very article, up popped a reminder from Google Calendar about some iPhone that I had allegedly won.

Are these attacks the result of mail programs auto-adding spammy email invites, or of some hacking around with the kinds of features of calendar apps that let you create events with attendees directly?

The article mentions that the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

For spam in google calendar you just turn off the option that is automatically accepting incoming calendar invites.

It's bizarre that Calendar was set up to allow invitations from non-contacts in the first place.

I was hoping this would be about gettinng rid of events such as "Ashura" in my iPhone calendar. Doubtlessly that day is important to a lot of people. But I would prefer to simply have the US legal holidays, without all the other stuff.

Apple are being real dicks about the all-or-nothing nature of these events. Why can't we have some granularity as to the holidays we see in our Calendar?

> Apple are being real dicks about the all-or-nothing nature of these events. Why can't we have some granularity as to the holidays we see in our Calendar?

Opposing customization in favor of a common consistent curated experience based on Apple’s superior knowledge (especially compared to customers themselves) of what customers want has been the Apple way for a long time.

It is easy to granularly manage holidays in calendar.app.

Step 1: Turn off default holidays calendar.

Step 2: Subscribe to calendar feed of your choice.

There are lots of public calendars with public holidays that you can subscribe to.

I'm struggling to invite friends my kid's birthday so that last-minute changes are reflected.

No MUA is clear how they even parse ICS or "text/calendar" URLs.


This should be a standard!

I started receiving these a few weeks ago :( I thought it must have been an exploit somewhere.

I had this the other day, it was not trivial to find this setting to disable.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact