IT Security Blog

Back in May of this year we blogged about the increased use of Calendar Spam - unsolicited calendar invites being sent by spammers to deliver content to your inbox.  These are particularly annoying for several reasons:

-- Some phones (like the iPhone) will automatically wake up when you receive a new calendar invite and display the details of the invite on screen
-- The default behavior of the most commonly used calendar applications is to automatically display events that you have been invited to on your calendar regardless of whether you have accepted the invitation or not, and in many cases will even block out the reserved time on your calendar as "Tentative"
-- If you ignore the invite and it was sent with a reminder attached to it, the message will notify you again shortly before the proposed meeting is scheduled to take place
-- If you decline the invite, you have essentially validated your email address to whoever is the recipient of the notification that you refused the meeting

Earlier this week myself, my boss, and our CTO received an unsolicited calendar invite from the folks over at Nimsoft (sorry, you spammed so you get called out in public) alleging that they have made several unsuccessful attempts to contact us via telephone (they never called me!) and want to setup a demo of their new monitoring solution.  That same day my boss received an email advertising this concept of In-Calendar "Marketing" (ironic that they sent a spam email to advertise their calendar "Marketing", no? :) ):




So, In-Calendar "Marketing" is essentially riding on the coattails of tactics spammers use to attempt to increase deliverability into the inbox.  Their primary intent is to attempt to circumvent spam filters because they know they aren't sending legitimate or wanted content. 

It's a clever tactic because it increases the stickiness of the message as well.  If you get a Viagra email in your inbox and you delete it, no harm and no foul.  With calendar spams, the time may get reserved on your calendar and appear to others as if you are scheduled for a meeting thus reducing your own productivity as well as remind you of the unwanted invitation before the demo/sales call/whatever was scheduled to begin. 

I can certainly understand why these marketers (a term I am using very loosely in this case) are doing whatever they can to increase their own deliverability rates, especially in tough economic times, but instead of resorting to tactics that are clearly being used as a copycat spammer tactic maybe they should try following published best practices instead.   A novel concept....

There have been more and more complaints popping up on the internet lately in relation to a new type of spam: Calendar Spam.  Calendar Spam introduces some new annoyances and some potential tricky pitfalls that we are used to seeing from typical spam.

Since the announcement of the Google CAPTCHA compromise and the influx of spam and blowback that has been eminating out of the Google network since, it is clear that there is no easy solution to this problem from Google's standpoint (I am giving them the benefit of the doubt that more is being done on the backend than their claims that they are shutting accounts down as quickly as they can, which is clearly a futile effort).   Now spammers have started also abusing the Google system to send out spam calendar invites. 

One might say: Calendar invites are no more intrusive than spam.  I can easily delete them from my inbox just like any other message. 

True, except the default behavior of the Google Calendar (and of the Outlook calendar, actually) is to automatically display events that you have been invited to in your calendar, even if you have not responded to them.  So, what this means is that if the spammy calendar event was sent to you with a reminder (which they all are), then you will still receive the reminder notification even if you deleted the original invite from your mailbox.

So, what to do?  Should you decline these events?  Doing so and sending a notification back to the original sender is essentially a validation of your email address which will open the floodgates for more spam.  Ignoring it obviously doesn't yield the desired result either as we just discussed. 

In fairness, Google does provide some guidance on how to prevent Calendar Spam, which essentially involves not auto-adding events to your calendar.  A nice work around, but certainly not a "fix" in my opinion.   This is an important calendaring feature, which is why many of the widely used calendars support it.  Simply turning it off because you are receiving spam calendar invites is merely an inconvenient band-aid.

I've also seen some people say "Google signs their mail with DKIM.  Shouldn't that help?"  Neither DKIM nor Sender ID Framework do anything to determine the reputation of the sender nor does it make any positive or negative determination as to the content of the message.  They only help to determine whether or not the message was spoofed or forged.  In this case, since the message is originating through Google's own servers, it will pass any kind of authentication mechanism. 

This goes back to the age old discussion that we have had many times in that spammers will latch onto any type of technology they can get their hands on and will use and abuse it in every way possible (many times in ways you and I never even thought they could be abused!).

Clearly Google's problems are running deeper and deeper by the day.  New vulnerabilities and abuses of their services are being unconvered on a seemingly daily basis.  More and more service providers are starting to block communications from Google as a result which will start to make them a less viable option for users and businesses alike which will cut into Google's top and bottom lines.  Google has some great tools and certainly are an innovation driven company.  Now if only their security would start to catch up to their innovation...