Calendar spam on Apple systems

Mac and iOS users have been seeing a lot of strange entries appearing in their calendars for a while now, but there has been a big increase over the last few weeks. There are a couple different explanations for this, but the good news is that neither of them involves malware.

The first cause has been occurring for a couple years, since the introduction of a new feature in OS X 10.11 (El Capitan) and iOS 9, which suggests events found in other apps. For example, if you get an e-mail in Mail with information about an airline flight, that flight will show up in the Calendar app as a suggestion.

If this happens for a specific event from a spam e-mail, or any other event that you don’t want in your calendar, you can simply select it and click the Ignore button. Easy peasy.

However, maybe you don’t want to see those suggestions at all. If that’s the case, you can turn them off. First, in Mail on OS X, open the preferences, click the General icon, and change the “Add invitations to Calendar” setting to Never.

mac-mail-calendar-invites

On iOS 9, a similar setting can be found in Settings > Mail, Contacts, Calendars, where you should turn off the “Events Found in Mail” option. On iOS 10, that option is named “Events Found in Apps”, and is found in Settings > Calendar.

You can, of course, still add events found in Mail, and any other app that supports it, using the data detection features in macOS. Simply hover over the relevant info and click the down arrow to start the process of creating an event in the calendar:

mac-mail-add-event

The second cause for these problems is a bit more troublesome and has become a very common problem in just the last few weeks. Spammers have learned that they can send calendar invitations to your iCloud address, thus spamming not your e-mail account but your calendar itself.

Worse, these invitations show up in the Notification Center, so the spam actually shows up within the interface of macOS and iOS, rather than just in Mail.

If that’s not bad enough, getting rid of these invitations is another problem. Sure, you can simply decline them and move on… but the problem with doing that is that accepting or declining these invitations sends a response back to the spammer, which could confirm that your address is good, thus leading to further spam.

There are many blog articles and forum posts out there about how to delete these messages without notifying the sender that you have done so. The prevalent wisdom says that adding the events to a temporary calendar, then deleting that calendar, will delete the events without sending a notification. This seems to be backed up by the fact that macOS will give you the option to delete without notifying:

mac-calendar-delete

Unfortunately, I’ve been testing this for a couple days, between my calendar and my wife’s calendar, and it doesn’t work for me. Even if I click Delete and Don’t Notify, or if I do this from iOS as some sites suggest, the sender will always get a notification that the invitation was declined.

I’m not yet sure whether this is an absolute or whether certain settings cause this to work in some cases and not work in others. It’s possible this will work for some people. However, it’s certainly true that you can’t rely on being able to delete those events without notification, and you won’t be able to tell from your end if the notification was sent or not.

How big a deal is this? Potentially, it could result in a sudden flood of new calendar spams. It’s also possible it could result in nothing at all. It’s hard to know which is the case, but the risk of the former is definitely unappealing.

So, what can be done? There are several things that need to be addressed: reporting, removing, and preventing the spam.

Reporting

These spam events can be reported to Apple so that they can close the offending iCloud account. This will be like shooting at a moving target, but nonetheless, it’s important to shut down each iCloud account that sends this kind of spam.

To report it, open the Calendar app on your Mac and locate the event there. Do not accept or decline it, but drag the event to the desktop. Dropping it there should create a file with an icon similar to the Calendar icon and ending in “.ics”. This file contains all the information about the event, including who sent it.

Next, send a message to spam@icloud.com briefly explaining the problem (nothing more than a few sentences at most), and attach that .ics file to the message. Once the message has been sent, you can delete the .ics file, but don’t delete the event from the Calendar app!

Removing

After you’ve reported the spam, you’ll want to “quarantine” these spams in a junk calendar. First, create a new calendar in your iCloud account, which you can do in the Calendar app on macOS or iOS, or even on iCloud.com itself. Name that new calendar something like “Junk,” and make sure that it isn’t shown on the calendar. (On macOS or iOS, uncheck it in the calendar list to hide events in that calendar.)

mac-calendar-junk

Next, without accepting or declining the spam event, move it to this Junk calendar. This can be done in the Calendar app on macOS. It can also be done in the Calendar app on iOS by tapping the event, then changing the calendar on the Event Details screen.

At this point, the event will still be there, but it will be in a different calendar and will be hidden, so you won’t see the spam events mixed in with your other events. Leave them there. If you have items in the Notification Center for those events, close them without accepting or declining.

At some point, after you haven’t gotten any more calendar spam for a few weeks or months, you should be able to safely delete the Junk calendar, and any notifications won’t get through because the offending iCloud accounts (which you will have reported) should have been banned by that point.

If by some chance you keep getting that spam for a long time, you can create additional calendars periodically (Junk 2, Junk 3, etc) and delete the older ones after a while.

There are no guarantees, of course. All this relies on Apple closing those accounts in a timely fashion and if Apple suddenly gets swamped with more spam reports than they’re prepared to handle, it’s possible that it may not happen quickly.

Prevention

There is also the question of how to prevent this from happening in the future. Unfortunately, again, the conventional wisdom appears to be failing. Many sites are saying to log in to iCloud.com, then go to the Calendar there and click the gear button at the bottom left corner of the page to open the iCloud Calendar settings. Then, click the Advanced icon and change the Invitations setting from the default (“In-app notifications”) to “Email to youraddress@somewhere.com”.

icloud-calendar-settings

In my testing, however, this did nothing to prevent an invitation from showing up in the Calendar app. I’m unclear as to whether this is because this setting doesn’t behave as people are assuming it does, or if it would have worked if my spam filter had caught the e-mail message with the invitation before it hit my inbox (it didn’t).

So, I won’t say this isn’t worth trying… if you’re getting lots of repeated Calendar spam, it would definitely be worth trying to change this setting and then train Mail’s spam filter to catch those spam invites. Of course, it’s also possible that this may result in legit invites ending up in your spam folder, so you’ll need to keep a close eye on that.

However, the most important preventative step you can take requires some premeditation. My iCloud e-mail address is a jealously-guarded secret… not many people outside my family know that address, so it never receives spam. If you can pre-emptively do the same with a new iCloud account, using an e-mail address that you only use for that iCloud account and nothing else, then that will go a long way towards avoiding spam.

Of course, this does nothing to stop the problem once it has started. However, you may be able to change your Apple ID e-mail address, which would help to cut off the flow. If your address ends in @icloud.com, @me.com, or @mac.com, you may not be able to change it at this point, but for anyone else it would be worth a try.

You’ve probably gotten the message at this point that there really aren’t any ideal solutions. All this is unfortunately a hassle right now. After watching Apple for 32 years, though, I’m fairly confident that this is something they’ll take action to correct… but, if they do, it will likely take some time, and an update to macOS and iOS, to implement anti-spam controls on the Calendar.

Source: Malwarebytes Labs @ November 30, 2016 at 01:29PM

0
Share