funsec mailing list archives
Outlook and Google calendar spam
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sat, 12 Apr 2008 08:56:06 -0400
http://blog.washingtonpost.com/securityfix/2008/04/spammers_scheduling_googl e_out.html Posted at 02:32 PM ET, 04/10/2008 Spammers Using Google, Outlook Calendars to Get Your Attention Spammers are starting to use the meeting invite features of both Google Calendar and Microsoft Outlook to send messages advertising the latest designer watches and prescription drugs. This week, Security Fix heard from a reader who said he had received an e-mail with an Outlook meeting invitation attached. Suitably wary of the spammy invite, he closed out the e-mail and ignored it. But when he opened up his Outlook calendar a few minutes later, he was horrified to find the spam "meeting" was scheduled anyway. How would you like an Outlook calendar full of this? (Screenshot created by Brian Krebs an example of what calendar spam looks like) After Googling a bit on the subject, I found that spammers have recently been doing the same thing to Google Calendar users. Everyone gets spam, but for obvious reasons having unauthorized meetings sent by a spammer show up on your calendar is fairly creepy. So what's going on here? And is there any way to block this nonsense? With Outlook, the problem seems to stem from the program being just a tad too helpful. When Outlook receives a meeting invite, it blocks off the time period requested on a provisional basis until the recipient either accepts or declines the invite. The beauty of this approach for the spammer is that if people choose to decline the invite (and many people may find it extremely difficult to resist the urge), those people are essentially responding to the spammer -- always a bad idea because it confirms for the spammer that he has reached an active e-mail address. The situation is worse for people who have ill-advisedly configured Outlook to automatically accept meeting invitations. I found <http://groups.google.com/group/google-calendar-help-misc/browse_thread/thre ad/18742b9ef209c472/e8ff376635545fc7> this post at a Google Calendar support forum that indicates that Google Calendar users can set it to show only those events that they have created or accepted. According to Google, here's how to do that: 1. Click on "Settings" at the top of any Google Calendar page 2. Select the "General" tab if it isn't selected already. 3. In the "Automatically add invitations to my calendar" section, select "No, only show invitations to which I have responded." 4. Click on "Save." Google is urging Calendar users to report calendar spam by visiting <http://www.google.com/support/calendar/bin/request.py?contact=1> this link. I'm sure there is a similar setting Outlook users can change to stop automatically scheduling meetings, but I'll be darned if I can find it online. If anyone knows of an Outlook fix for this that doesn't involve editing the Windows registry, please leave instructions in the comments below and I'll update this entry once I've confirmed them.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Outlook and Google calendar spam Richard M. Smith (Apr 12)
- <Possible follow-ups>
- Re: Outlook and Google calendar spam Paul Ferguson (Apr 12)