Outlook and Google calendar spam

["Richard M. Smith" <rms () computerbytesman com>]

http://blog.washingtonpost.com/securityfix/2008/04/spammers_scheduling_googl
e_out.html

Posted at 02:32 PM ET, 04/10/2008


Spammers Using Google, Outlook Calendars to Get Your Attention

Spammers are starting to use the meeting invite features of both Google
Calendar and Microsoft Outlook to send messages advertising the latest
designer watches and prescription drugs.

This week, Security Fix heard from a reader who said he had received an
e-mail with an Outlook meeting invitation attached. Suitably wary of the
spammy invite, he closed out the e-mail and ignored it. But when he opened
up his Outlook calendar a few minutes later, he was horrified to find the
spam "meeting" was scheduled anyway. 

How would you like an Outlook calendar full of this? (Screenshot created by
Brian Krebs an example of what calendar spam looks like) 

After Googling a bit on the subject, I found that spammers have recently
been doing the same thing to Google Calendar users. Everyone gets spam, but
for obvious reasons having unauthorized meetings sent by a spammer show up
on your calendar is fairly creepy. 

So what's going on here? And is there any way to block this nonsense? 

With Outlook, the problem seems to stem from the program being just a tad
too helpful. When Outlook receives a meeting invite, it blocks off the time
period requested on a provisional basis until the recipient either accepts
or declines the invite. 

The beauty of this approach for the spammer is that if people choose to
decline the invite (and many people may find it extremely difficult to
resist the urge), those people are essentially responding to the spammer --
always a bad idea because it confirms for the spammer that he has reached an
active e-mail address. The situation is worse for people who have
ill-advisedly configured Outlook to automatically accept meeting
invitations. 

I found
<http://groups.google.com/group/google-calendar-help-misc/browse_thread/thre
ad/18742b9ef209c472/e8ff376635545fc7> this post at a Google Calendar support
forum that indicates that Google Calendar users can set it to show only
those events that they have created or accepted. According to Google, here's
how to do that: 

1. Click on "Settings" at the top of any Google Calendar page
2. Select the "General" tab if it isn't selected already.
3. In the "Automatically add invitations to my calendar" section,
select "No, only show invitations to which I have responded."
4. Click on "Save."

Google is urging Calendar users to report calendar spam by visiting
<http://www.google.com/support/calendar/bin/request.py?contact=1> this link.

I'm sure there is a similar setting Outlook users can change to stop
automatically scheduling meetings, but I'll be darned if I can find it
online. If anyone knows of an Outlook fix for this that doesn't involve
editing the Windows registry, please leave instructions in the comments
below and I'll update this entry once I've confirmed them.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.