Update: Response from Apple
According to iMore, Apple is aware of the issue and has issued an official statement:
“We are sorry that some of our users are receiving spam calendar invitations. We are actively working to address this issue by identifying and blocking suspicious senders and spam in the invites being sent.”
I’m still hoping that they give us a method to mark and report these invitations as spam, but hopefully it won’t be as necessary, going forward.
Spam: it’s not just for email anymore! And we aren’t talking about canned meat from Austin, MN.
In our modern technological age, we are used to dealing with unwanted “spam” in our email inbox. Offers to sell you discount goods, re-grow your hair, get you to the top of the search engines, and increase the size of your… well, you get the idea. Most of it is pretty easy to spot. Spammers send millions of emails in the hopes of getting a tiny fraction of a percentage to click. Most email providers and client apps provide some kind of spam filtering, so that the majority never makes it to your in box. But the spammers get wise to the filtering, and are always looking for new ways to get their message in front of your eyes. Recently, they have been using SMS text messaging. Updates to iOS added the ability to block and report text spam.
We move, they move…
Just like a game of chess, the game keeps changing. And now Apple iCloud users have a new attack vector to guard against: invitations to Calendar events and Photos sharing. The ingenious part of these calendar invite spam attacks is that (depending on your settings… see below) you don’t ever see an email, so it doesn’t go through any spam filters at iCloud or your mail client, and there is no way to mark it or report it as spam.
I first became aware of the issue when my wife received a Calendar invite for a sale on popular brands of designer sunglasses. The invitation sender name is in Chinese (?), and it was sent to a list of other random iCloud.com addresses that she did not know. It is obviously spam. Her gut instinct was to “decline” the invitation, hoping it would go away. Unfortunately, that does not get rid of the unwanted invitation. It still shows up on your calendar as a declined event. There is no way to delete the unwanted event from your calendar, because you don’t “own” the event. Or is there?
I did some searching online and it turns out that a lot of people are seeing this kind of spam, as well as invites to share photos with similar spam advertising URLs. There are a couple of tricks to deal with calendar spam. This article on 9to5mac was helpful.
First, don’t accept or decline the invitation, as this just lets the sender know that they have reached a real account, and that a real person has viewed it. It may result in more spam. But either way, this is how you can get rid of the event from your calendar. Create a new calendar (call it “Spam” or whatever you want), then move the event to that calendar. Finally, delete the temporary calendar and the event will go away as well.
The other thing you can do is log into iCloud.com (from a desktop browser), go to Calendar, then click the gear in the lower left and choose Preferences. On the Advanced tab, change the Invitations option to receive event invitations as emails instead of in-app notifications. This will send the invite to your email first, where it can be marked as spam. If you receive a lot of [legitimate] calendar invitations, this may be an inconvenience.
From my research, at this point, there is not much that can be done about spam that comes in as a shared Photos invite. If you know of a solution, feel free to share it in the comments. Hopefully Apple will address these new attack vectors in a security update to Photos, macOS, and iOS, and allow us to block and report offending spammers. The cat and mouse game continues.
“Each game of chess means there’s one less,
variation left to be played.”
– Tim Rice, Chess
Also published on Medium.