I first spoken on a panel about it more than a year earlier than that, along with some people from 1&1 who were very keen to see progress on at least defining the risks!
But it's hard to get attention on fixing things, even in the big players (maybe especially in the big players) until there's user impact.
It's also why, from the very first moment we added this feature in our system, the default in Fastmail has been "only auto-add if it's from somebody in my addressbook". And the "from somebody in my addressbook" test checks for DKIM or SPF alignment.
We also allow turning auto-add off of course, or restricting it only to senders in a particular named addressbook group.
I would be disappointed if I e.g. buy a plane ticket or a ticket to a show and the event is not added to my calendar. (and you never know the email that a show ticket will come from; so I can't add it to my address book)
As an alternative, could you just have it so if I mark an email as spam, any calendar events from it are deleted from my calendar?
With Google I recently had invites from emails sitting in my spam folder show up in my calendar. You would think that being flagged as spam would be simple to filter on. I actually really value the automatic adding of events to my calendar from legitimate emails, so this was very infuriating as the spam continued to pour in over weeks.
Same. I had to turn off the feature. It's rather unprofessional to have a meeting for (and this actually happened) a $15 blowjob on my calendar. I mean, I guess there are some illicit businesses that, being very time conscious, plan and slot such things in detail. But it's still the sort of thing I expect Google to catch, especially when the email is already in the spam folder.
This recently started happening to me too! Spam emails with ical/calendar attachments get loaded into my calendar even if they're appropriately flagged as spam in my Gmail inbox.
It's especially annoying as the spammers create repeated alerts (often late at night). I've wound up with dozens of these I have to manually clear from my calendar.
All of this started a few weeks ago. Perhaps it was a regression rather than a new exploit?
Google/Gmail engineers: please file this as a bug.
Very concise. Btw, I see that you created this tool. It is a brilliant tool. Just wish people would start using this tool to explain the steps instead of writing them in ad filled/narrow column pages.
Unfortunately, the google calendar option doesn't actually reject invitations or really remove them from your calendar, it just hides them for you. If you're sharing your calendar with anybody then they're still visible to them, and as far as I can tell that's unavoidable.
That means if you are sharing you calendar you can't use this option, since it makes it impossible to remove the events that are now spamming everybody else. You have to just manually mark them as spam every time they appear. I get an event like this maybe every other day at the moment, even though they're almost all identical and I've reported them as spam, it's unbelievably annoying. Even more annoying: gmail is actually picking up the invitation email itself as spam, so it's fully aware that it's unwanted, but then it appears in my calendar regardless. Gmail filters to delete them immediately on arrival don't seem to do anything.
I'm right back to the spam dark ages right now, it's terrible.
Oh boy, I didn't realize this and will need to check about this. I thought that filtering would help, but if those folks that I've shared my calendar with are seeing this weirdness....
Between this and the fact any joker can share a document with one's drive... Making google hard to use for business.
I'm now deathly afraid to have any of these products opened when connected to a projector/presenting...
How hard can it be to _not_ insert 30 events from mails that are clearly in the spam folder already?
This issue is baffling to me. If Gmail knows it's spam why on earth are they inserted. Also why inserting 50 events over 4 days suspicious in the first place i don't know.
A "post mortem" would be interesting - why hasn't this been resolved in a couple of days if the solution is that simple and it affects thousands of users over many months?
I understand this is perhaps the only current solution, but for me this definitely would not work. I actually rely on seeing those un-responded events in my calendar, especially for large group events.
I'd much prefer a "don't show un-responded invites from people you do not know" option.
I definitely don't want my email application looking at my contacts' contacts, though. That would leak information. And would only work within the same provider.
I personally really appreciate having stuff like restaurant reservations, trains, planes, hotels etc being automatically added to my calendar (which tend to come from no-reply addresses).
I also haven't had seen any spam invites, presumably since Apple's thing is smart enough to ignore email in the spam folder?
I had one of these show up in my Google Calendar, it was an every-day reoccurring event. I opened the three dot menu on one of the events > Report as spam, and it removed the event and all of its reoccurrences.
I shudder to think how many innocent people will see this and follow through with the scam.
I got a fairly explicit one of these in my calendar the other day, unfortunately it's a calendar I share with my wife, so it appeared on her phone too. That was a fun conversation.
Neither of us could delete the event, either via google calendar or ical. Nor could I find the original email I assume it came from. In the end I just deleted the whole shared calendar.
I had a similar experience, eventually I found the message in my spam folder. It's ridiculous that messages marked as spam show up on the calendar, but now we know.
One of the problems with the suggested solution in the article is that it doesn't apply to other people's view of your calendars - so my partner had an event from my calendar clogging her view but I couldn't see it to remove it!
Weirdly enough, I had an easy "Mark as spam" button on iCal as well as in Google Calendar. I never needed to turn off the auto-event feature because it went away when I marked one as spam.
I wonder if you got a different type of spam than I did.
The awesome part is the steps you take to make it not show up on your own calendar don't actually make it go away. It's still there and will appear for people you share the calendar with.
I was hoping this was about the birthday spam notices in google calendar. There’s no way to delete contact birthday info without deleting the contact.
For some reason Google thinks it’s cool that I’ve emailed “[email protected]” at some point in my life. Foo set their birthday in Gmail and now their birthday shows on my calendar along with people I actually want.
> We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available.
I get this shit all the time, followed a way to disable it on google calendar, unsubscribed from all calendars, uninstalled calendar.app from iphone, and am still getting 'em WTF!
We saw this over the past couple weeks. It freaked me out and google's g suite support was useless. I did report the IAM it looked like these invites came from (to both the cloud fraud form and gsuite support) but maybe that listed IAM is actually google's auto-add-to-calendar bot? I didn't think it made sense to contact cloud enterprise support which tends to have awesome responses.
I was concerned because:
* we received more sophisticated than usual SPAM/phishing to our employees 'from' one of our partners around the same time
* we work in politics
* the timezone on the calendar spam was Russia and multiple staff received the spam invites
Yep, I've been getting Russian events in my google cal that just reappear the day after I report them as spam (which does what?)
Unfortunately, it's pretty inconvenient to just not show calendar events that I haven't accepted. If you have a busy calendar, it can be helpful to prioritize events - some will inevitably be declined or left hanging, but those are useful to see.
It's pretty crazy that calendar invites that are already filtered out to my spam email folder show up in my normal google calendar. Seems like a quick solution for google to go fix.
I've had a lot of supposed "Enterprise" sales people at well known large companies try to pull that.
They'll send a calendar invite and pretend it's a follow up to a meeting we had. Yeah like I can't see through that bullshit. Immediate report as spam.
They need to let you easily delete events without responding to them. I ended up deleting them without (I think) responding but not until trying two or three different ways which each insisted I had to reply that I wasn’t attending. And now I’m not even sure how I did it and will probably have to cycle through all those attempts again next time.
My problem with this is that I have a russian event every night that only shows up on my phone calendar. I did the fix to remove it from Google calendar through the web, but it's only gone on the web. It still shows up on my phone with no option to delete all.
I've been deleting the next 4 days every 4 days for the last two weeks.
I recently had this problem in an old Samsung phone. The spam was not directly coming from email, but from some other installed app which was somehow tricking S planner (Samsung's calendar app) into adding the events to google's calendar, even though the original spammer app had no calendar permissions.
In my case, I had these spam-invites sent from my G Suite email to my personal Gmail. I could see the emails on the Sent folder.
The weird part is that I had a strong password (1password) + 2-factor on both accounts. I use FF with containers so I only use my email on a container and nowhere else.
I had reviewed all the 3rd party apps and security settings on both accounts and it all looked normal to me. The only issue is that I didn't had the SPF, DMARC and DKIM setup - fixed after it.
Important detail that Helene mentions in a comment:
You should add that that setting in Google Calendar is only available on desktop.
I spent a while the other day after getting one of these trying to find the setting on my phone. It’s not there. The setting affects your phone too, just have to use your desktop to change it.
[+] [-] brongondwana|6 years ago|reply
https://www.calconnect.org/news/2019/01/18/calconnect-publis...
I first spoken on a panel about it more than a year earlier than that, along with some people from 1&1 who were very keen to see progress on at least defining the risks!
But it's hard to get attention on fixing things, even in the big players (maybe especially in the big players) until there's user impact.
It's also why, from the very first moment we added this feature in our system, the default in Fastmail has been "only auto-add if it's from somebody in my addressbook". And the "from somebody in my addressbook" test checks for DKIM or SPF alignment.
We also allow turning auto-add off of course, or restricting it only to senders in a particular named addressbook group.
[+] [-] daurnimator|6 years ago|reply
As an alternative, could you just have it so if I mark an email as spam, any calendar events from it are deleted from my calendar?
[+] [-] srtjstjsj|6 years ago|reply
From 2012, the first(?) time this was a widespread issue on the web: https://www.theverge.com/2012/6/29/3126837/google-plus-event...
and Google has been enduring calendar spam for years beyong Google+: https://support.google.com/calendar/forum/AAAAd3GaXpE5kUOfyI...
[+] [-] mcbuilder|6 years ago|reply
[+] [-] ineedasername|6 years ago|reply
[+] [-] echelon|6 years ago|reply
It's especially annoying as the spammers create repeated alerts (often late at night). I've wound up with dozens of these I have to manually clear from my calendar.
All of this started a few weeks ago. Perhaps it was a regression rather than a new exploit?
Google/Gmail engineers: please file this as a bug.
[+] [-] ptmcc|6 years ago|reply
Wonder if it was something going around, and maybe Google has already fixed it. Hasn't happened again, fingers crossed.
[+] [-] sschueller|6 years ago|reply
[+] [-] joshi4|6 years ago|reply
[+] [-] chopete|6 years ago|reply
[+] [-] wtmt|6 years ago|reply
BTW, could you please create a Firefox extension for your site? I see that you only have a Chrome extension.
[+] [-] klausjensen|6 years ago|reply
[+] [-] samstave|6 years ago|reply
Can you write up that?
Then all peoples cals can go to their personal slack regardless of source
[+] [-] pimterry|6 years ago|reply
That means if you are sharing you calendar you can't use this option, since it makes it impossible to remove the events that are now spamming everybody else. You have to just manually mark them as spam every time they appear. I get an event like this maybe every other day at the moment, even though they're almost all identical and I've reported them as spam, it's unbelievably annoying. Even more annoying: gmail is actually picking up the invitation email itself as spam, so it's fully aware that it's unwanted, but then it appears in my calendar regardless. Gmail filters to delete them immediately on arrival don't seem to do anything.
I'm right back to the spam dark ages right now, it's terrible.
[+] [-] flowersjeff|6 years ago|reply
Between this and the fact any joker can share a document with one's drive... Making google hard to use for business.
I'm now deathly afraid to have any of these products opened when connected to a projector/presenting...
[+] [-] kossTKR|6 years ago|reply
This issue is baffling to me. If Gmail knows it's spam why on earth are they inserted. Also why inserting 50 events over 4 days suspicious in the first place i don't know.
A "post mortem" would be interesting - why hasn't this been resolved in a couple of days if the solution is that simple and it affects thousands of users over many months?
[+] [-] grosswait|6 years ago|reply
[+] [-] hn_throwaway_99|6 years ago|reply
I'd much prefer a "don't show un-responded invites from people you do not know" option.
[+] [-] flyGuyOnTheSly|6 years ago|reply
That's insanely dumb.
Why not at least limit calendar invites to contacts or contacts of contacts?
[+] [-] function_seven|6 years ago|reply
I definitely don't want my email application looking at my contacts' contacts, though. That would leak information. And would only work within the same provider.
[+] [-] comboy|6 years ago|reply
[+] [-] kalleboo|6 years ago|reply
I also haven't had seen any spam invites, presumably since Apple's thing is smart enough to ignore email in the spam folder?
[+] [-] tinus_hn|6 years ago|reply
[+] [-] wildrhythms|6 years ago|reply
I shudder to think how many innocent people will see this and follow through with the scam.
[+] [-] phpnode|6 years ago|reply
Neither of us could delete the event, either via google calendar or ical. Nor could I find the original email I assume it came from. In the end I just deleted the whole shared calendar.
[+] [-] netghost|6 years ago|reply
[+] [-] zanchey|6 years ago|reply
[+] [-] Zarel|6 years ago|reply
I wonder if you got a different type of spam than I did.
[+] [-] russdill|6 years ago|reply
[+] [-] prepend|6 years ago|reply
For some reason Google thinks it’s cool that I’ve emailed “[email protected]” at some point in my life. Foo set their birthday in Gmail and now their birthday shows on my calendar along with people I actually want.
[+] [-] adrianmonk|6 years ago|reply
From https://support.google.com/calendar/thread/13429505?hl=en :
> We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available.
[+] [-] agustif|6 years ago|reply
Also mostly russian nonsense
[+] [-] dillondoyle|6 years ago|reply
I was concerned because:
[+] [-] mbowcutt|6 years ago|reply
Unfortunately, it's pretty inconvenient to just not show calendar events that I haven't accepted. If you have a busy calendar, it can be helpful to prioritize events - some will inevitably be declined or left hanging, but those are useful to see.
It's pretty crazy that calendar invites that are already filtered out to my spam email folder show up in my normal google calendar. Seems like a quick solution for google to go fix.
[+] [-] deathhand|6 years ago|reply
[+] [-] SteveNuts|6 years ago|reply
They'll send a calendar invite and pretend it's a follow up to a meeting we had. Yeah like I can't see through that bullshit. Immediate report as spam.
[+] [-] dwighttk|6 years ago|reply
[+] [-] npmaile|6 years ago|reply
I've been deleting the next 4 days every 4 days for the last two weeks.
[+] [-] WhiteSage|6 years ago|reply
[+] [-] guiporto|6 years ago|reply
The weird part is that I had a strong password (1password) + 2-factor on both accounts. I use FF with containers so I only use my email on a container and nowhere else.
I had reviewed all the 3rd party apps and security settings on both accounts and it all looked normal to me. The only issue is that I didn't had the SPF, DMARC and DKIM setup - fixed after it.
I sent email to abuse@google but got no response.
[+] [-] phil9987|6 years ago|reply