The Google Calendar Spam Dilemma
There have been more and more complaints popping up on the internet lately in relation to a new type of spam: Calendar Spam. Calendar Spam introduces some new annoyances and some potential tricky pitfalls that we are used to seeing from typical spam.
Since the announcement of the Google CAPTCHA compromise and the influx of spam and blowback that has been eminating out of the Google network since, it is clear that there is no easy solution to this problem from Google's standpoint (I am giving them the benefit of the doubt that more is being done on the backend than their claims that they are shutting accounts down as quickly as they can, which is clearly a futile effort). Now spammers have started also abusing the Google system to send out spam calendar invites.
One might say: Calendar invites are no more intrusive than spam. I can easily delete them from my inbox just like any other message.
True, except the default behavior of the Google Calendar (and of the Outlook calendar, actually) is to automatically display events that you have been invited to in your calendar, even if you have not responded to them. So, what this means is that if the spammy calendar event was sent to you with a reminder (which they all are), then you will still receive the reminder notification even if you deleted the original invite from your mailbox.
So, what to do? Should you decline these events? Doing so and sending a notification back to the original sender is essentially a validation of your email address which will open the floodgates for more spam. Ignoring it obviously doesn't yield the desired result either as we just discussed.
In fairness, Google does provide some guidance on how to prevent Calendar Spam, which essentially involves not auto-adding events to your calendar. A nice work around, but certainly not a "fix" in my opinion. This is an important calendaring feature, which is why many of the widely used calendars support it. Simply turning it off because you are receiving spam calendar invites is merely an inconvenient band-aid.
I've also seen some people say "Google signs their mail with DKIM. Shouldn't that help?" Neither DKIM nor Sender ID Framework do anything to determine the reputation of the sender nor does it make any positive or negative determination as to the content of the message. They only help to determine whether or not the message was spoofed or forged. In this case, since the message is originating through Google's own servers, it will pass any kind of authentication mechanism.
This goes back to the age old discussion that we have had many times in that spammers will latch onto any type of technology they can get their hands on and will use and abuse it in every way possible (many times in ways you and I never even thought they could be abused!).
Clearly Google's problems are running deeper and deeper by the day. New vulnerabilities and abuses of their services are being unconvered on a seemingly daily basis. More and more service providers are starting to block communications from Google as a result which will start to make them a less viable option for users and businesses alike which will cut into Google's top and bottom lines. Google has some great tools and certainly are an innovation driven company. Now if only their security would start to catch up to their innovation...
Categories: Spam Calendar Spam
Comments
Re: The Google Calendar Spam Dilemma
I have been receiving spam emails from Google Calendar in my *.edu account. I have never subscribed for Google Calendar. What should I do to stop the spam??
Posted by Bob on May 19, 2008 at 1:41 PM
