What is Calendar spam?

Spam event in calendar

Around last year’s Black Friday calendar spam was bothering many users of Apple's iCloud as well as other mail providers e.g. mail.com, as a wave of calendar spam hit the affected users and left them with unwanted, unwelcome, undesired obligations in their private and business use calendars without good ways to get rid of them.

How calendar spam is defined and why it does more harm than email spam will be described in this article.

What is calendar spam?

Nowadays people organize meetings using emails (RFC 6047: iCalendar Message-Based Interoperability Protocol (iMIP)) to exchange invites, accepts and declines including everything necessary to know: Location, time, topic and attendees. Mail and calendar systems interact with each other and depending on the user settings, events are often - for convenience reasons and based on default settings - automatically inserted in the users calendar to block time slots and show possible conflicts.

But there are also other ways to receive events e.g. artificial intelligence in client and mobile devices identifying content as being time related and offer options, to create an event out of that. QRCODES scanned on advertisements e.g. for upcoming concerts can include event information which then can be imported in someone’s calendar as well.

Most clients also assign user defined notifications to upcoming events in order to prepare themselves and help them being punctual at the desired location.

An event can include more detailed descriptions, that include HTML and links, which provide the possibility to include the same malicious content as known from phishing emails or links to viruses.

Therefore, calendar spam can be defined as unwanted, unwelcome and undesired entries in your calendar automatically inserted via different ways, mainly email, which may also include malicious content.

Why does calendar spam do more harm to users?

Spam emails are bothersome, but calendar spam hits users in a different emotional space. Because of the calendar being the place to organize someone’s precious time, this is not just one more email filling up a postbox, but an intrusion into someone’s private space.

Furthermore, recurrent events (being inserted just once) can fill up the space every day or even more often. In combination with notifications via push or email, this can lead to much more disturbance, than just one email.

Spam emails can be just deleted, but events are accepted or declined and always (by standards) include feedback to the organizer, so a user can be tracked and identified as existent and active, which makes him a more valuable target for further spam.

Missing an appointment because of someone’s schedule being messed up by unwanted events will causes them to feel unprofessional and to look bad.

Is this a new thread?

No. In 2008 TrendMicro issued the first report on calendar spam seen in public, so this cannot be seen as a new issue.

But what changed in the meantime is, that also due to the efforts organizations like CalConnect made to support interoperability between formerly closed calendaring systems, people now use digital calendars even more. This is also influenced by the growing mobile usage of calendaring applications included in Android, iOS and Windows mobile devices. Therefore it is today more attractive than it has ever been before and calendar spam will be seen more often in the future.

How CalConnect is helping service providers and users?

Calendar spam will be a big topic on the next CalConnect conference in a few weeks in Irvine where leaders in calendaring come together and discuss current issues and mitigation strategies.

As spam filtering being the first line of defence for the problem, CalConnect members already made connections to the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) having their next meeting the week after the CalConnect conference to exchange ideas and the topic has been proposed as a topic for an Open Round Table session.

Another article will describe the identified best practices for services providers as well as mitigation strategies for users and issued after these conferences have taken place.

As this also being a common topic with mail and calendaring involved, united efforts will help to keep people’s schedules clean and safe, also in the future.


about the author

Thomas Schäfer is chair of TC chairs at CalConnect and is affiliated with 1&1 Internet AG in Germany (also offering international service like mail.com and gmx.com), where he has nearly 20 years of experience in working on email and calendaring services.