Network News

X My Profile
View More Activity

Spammers Using Google, Outlook Calendars to Get Your Attention

Spammers are starting to use the meeting invite features of both Google Calendar and Microsoft Outlook to send messages advertising the latest designer watches and prescription drugs.

This week, Security Fix heard from a reader who said he had received an e-mail with an Outlook meeting invitation attached. Suitably wary of the spammy invite, he closed out the e-mail and ignored it. But when he opened up his Outlook calendar a few minutes later, he was horrified to find the spam "meeting" was scheduled anyway.

How would you like an Outlook calendar full of this? (Screenshot created by Brian Krebs an example of what calendar spam looks like)

After Googling a bit on the subject, I found that spammers have recently been doing the same thing to Google Calendar users. Everyone gets spam, but for obvious reasons having unauthorized meetings sent by a spammer show up on your calendar is fairly creepy.

So what's going on here? And is there any way to block this nonsense?

With Outlook, the problem seems to stem from the program being just a tad too helpful. When Outlook receives a meeting invite, it blocks off the time period requested on a provisional basis until the recipient either accepts or declines the invite.

The beauty of this approach for the spammer is that if people choose to decline the invite (and many people may find it extremely difficult to resist the urge), those people are essentially responding to the spammer -- always a bad idea because it confirms for the spammer that he has reached an active e-mail address. The situation is worse for people who have ill-advisedly configured Outlook to automatically accept meeting invitations.

I found this post at a Google Calendar support forum that indicates that Google Calendar users can set it to show only those events that they have created or accepted. According to Google, here's how to do that:

1. Click on "Settings" at the top of any Google Calendar page
2. Select the "General" tab if it isn't selected already.
3. In the "Automatically add invitations to my calendar" section,
select "No, only show invitations to which I have responded."
4. Click on "Save."

Google is urging Calendar users to report calendar spam by visiting this link.

I'm sure there is a similar setting Outlook users can change to stop automatically scheduling meetings, but I'll be darned if I can find it online. If anyone knows of an Outlook fix for this that doesn't involve editing the Windows registry, please leave instructions in the comments below and I'll update this entry once I've confirmed them.

By Brian Krebs  |  April 10, 2008; 2:32 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Online Banking: Do You Know Your Rights?
Next: Time to Patch Your Flash


"To turn off automatic acceptance of meeting requests, the user has to open the Tools menu and click at Options. As soon as the Options dialog box opens, click at Calendar button. Under Advanced Options in Calendar dialog box, click Resource Scheduling. In the Resource Scheduling dialog box clear the 'Automatically accept meeting requests and process cancellation' check box."

Posted by: Mark Odell | April 10, 2008 3:25 PM | Report abuse

As Mark already mentioned, here is the link to Microsoft for the same thing,

I'm using Outlook 2003 with the latest service pack and found that "Automatically accept meeting requests and process cancellations" is already unchecked. Not sure if this is the default or because I'm not connected to an Exchange server.

Posted by: TJ | April 10, 2008 3:45 PM | Report abuse

The question, however, is NOT how to stop automatic acceptance of meeting requests. As discussed, that's off by default.

The question is how to stop Outlook from blocking off the time on your calendar as a proposed meeting before you've even read the invite. I've never found a way to do this.

Posted by: DK | April 10, 2008 5:31 PM | Report abuse

I'm not clear on this--is the invite added even if you do NOT open the spam? I don't use the computer calendar, but I also NEVER open spam. If I don't know the sender, it gets deleted without being opened. Also, the gmail spam filter works really well so I rarely get this stuff in my inbox.

Posted by: nmaif | April 10, 2008 7:11 PM | Report abuse

You can stop the automatic addition of a tentative meeting when the e-mail is received in Outlook by clearing the check box for "Process requests and responses on arrival" as follows:

1. On the Tools menu, click Options.
2. Click Email Options.
3. Click Tracking Options.
4. Click to clear the "Process requests and responses on arrival" check box.

This still doesn't stop the creation of a tentative meeting if the e-mail is opened or viewed in the reading (preview) pane.

Overall, the reason for the functionality, especially in a corporate setting when used with an Exchange mail server...

"Meetings are automatically placed on the calendar as tentative, so that timeslots will not be overbooked. As meeting updates come in, prior updates are marked "out of date" and are automatically deleted. This means that meeting updates are not accepted in an out of order fashion keeping your calendar items current."

In the past this functionality was done in the e-mail client only when the client was running. Starting with Exchange Server 2007, this can be done on the server via a "Calendar Attendant".

Posted by: TJ | April 10, 2008 10:15 PM | Report abuse

How about creating an Outlook rule, along these lines:

...but instead moving all meeting requests to the Junk Mail folder _except_ those from anyone in the user's address book (or a subset of it)?

Posted by: Mark Odell | April 10, 2008 11:48 PM | Report abuse

Cute. Comment spam in an article on spam.

Posted by: wiredog | April 11, 2008 9:04 AM | Report abuse

Glad I use Notes and not a piece of garbage like Outlook when I read things like this!

Posted by: flobee | April 11, 2008 4:01 PM | Report abuse

Notes? Notes? Seriously, Notes?

I'd rather use pen and paper! ;P

Posted by: TJ | April 12, 2008 11:26 AM | Report abuse

Looks like we have another Gates groupie in TJ. Just admit that security is an afterthought in MS products.

Posted by: flobee | April 15, 2008 11:30 AM | Report abuse

on Entourage: go to Entourage - Preferences - Calendar - uncheck the Tentatively Add Events When Invitations are Received.

Posted by: macuser | April 22, 2008 10:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company