If you opened up Google Calendar sometime in the last few weeks only to find your schedule filled with things like “WIN A FREE iPHONE!” or “CHEAP RAYBANS HERE”, you’re by no means the only one.
Spammers have found a way to trick Google Calendar into adding these things to your calendar without you doing anything. Google says it’s aware of the issue, and is working on it.
So what’s going on here?
At some point, Google Calendar picked up a feature that automatically adds any event you’re invited to right onto your calendar, presumably to keep the invite from getting lost in your inbox. The problem: there… doesn’t seem to be much of a filter. If a bot gets your email address and throws it on an invite which gets past Google’s anti-spam system, bam — it’s on your calendar as if you added it yourself.
Google’s acknowledgement of the issue, first spotted by Engadget, comes in the form of a pinned post on the Google Calendar support forum. It reads, simply:
We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available. Learn how to report and remove spam. Thank you for your patience.
In the meantime: if your calendar is filled with repeating spam events, you should be able to remove them in batches by going to Google Calendar on your computer, clicking one of the recurring spam events in question, clicking the three dot button near the top right of the pop up, and hitting “Report as spam”.
You can also outright disable the feature that is auto-adding invites to your calendar until Google figures out a better way to keep spammers out.
To disable the “automatically add invite” function:
- Go to Google Calendar on your computer
- Click the cog in the upper right, then hit settings
- On the list on the left, click “Event settings”.
- Look for the “Automatically add invitations” option. Change this to “No, only show invitations to which I have responded.”
As security researcher Brian Krebs points out, a lot of these invites come with URLs attached. For a whole list of reasons (like avoiding malicious pages, phishing sites, etc), you probably don’t want to go clicking those.