Apple is finally turning its attention to the growing threat of iCloud Calendar spam, the insidious issue that allows spammers to bypass the usual defenses by exploiting a design flaw in Apple’s cloud Calendar invitations. While not new, a surge in Calendar spam has hit users in recent weeks, prompting Apple to issue a statement by way of iMore‘s Rene Ritchie.
We are sorry that some of our users are receiving spam calendar invitations. We are actively working to address this issue by identifying and blocking suspicious senders and spam in the invites being sent.
The issue is not only the spam — comprised primarily of Asian retailers pushing counterfeit products — popping up unsolicited on users’ iDevices and Macs, it’s the risk of exposing recipients to further attacks by confirming the authenticity of their iCloud accounts.
iCloud Calendar Spam & You
Here’s how it works: Apple’s cloud-based Calendar platform allows users to send Calendar invitations to anyone. The spammers exploit this ability to send their junk messages in the form of Calendar invites to every conceivable iCloud account email address. When a real user receives one of the junk invitations and acts on it — i.e., clicks “Decline,” “Accept,” or even “Maybe” — the spammer receives confirmation that the recipient’s account is real.
Eventually, the spammers can narrow down their computer-generated email lists to a potent database of verified accounts upon which a concentrated spam and phishing effort can be initiated. This is similar to how spammers refine their email databases, and it’s why many recommend disabling the Mail app’s ability to automatically load remote content in messages.
Putting the Spam Back in the Can
Thankfully, there’s a workaround — which we covered earlier this week — that can help you hide these spam Calendar invites without confirming your existence to the spammers. But this type of workaround is relatively clunky and isn’t a realistic long-term solution.
We don’t know exactly how Apple plans to tackle this issue, but we hope the company is employing a more robust strategy than simply deleting the spam accounts. Such an approach would represent an unwinnable game of whack-a-mole, and would be a disservice to the company’s users who currently have no real solution other than disabling their iCloud calendars.
Until Apple can provide more information, however, all users of iCloud Calendars, including those on Mac, iOS, and even users of third party apps that work with iCloud, such as Fantastical, should stay alert for these spam invites, and take the appropriate action if they receive any.