Apple Says It’s Working to Fight iCloud Calendar Spam

Apple is finally turning its attention to the growing threat of iCloud Calendar spam, the insidious issue that allows spammers to bypass the usual defenses by exploiting a design flaw in Apple’s cloud Calendar invitations. While not new, a surge in Calendar spam has hit users in recent weeks, prompting Apple to issue a statement by way of iMore‘s Rene Ritchie.

We are sorry that some of our users are receiving spam calendar invitations. We are actively working to address this issue by identifying and blocking suspicious senders and spam in the invites being sent.

The issue is not only the spam — comprised primarily of Asian retailers pushing counterfeit products — popping up unsolicited on users’ iDevices and Macs, it’s the risk of exposing recipients to further attacks by confirming the authenticity of their iCloud accounts.

tim cook spam

iCloud Calendar Spam & You

Here’s how it works: Apple’s cloud-based Calendar platform allows users to send Calendar invitations to anyone. The spammers exploit this ability to send their junk messages in the form of Calendar invites to every conceivable iCloud account email address. When a real user receives one of the junk invitations and acts on it — i.e., clicks “Decline,” “Accept,” or even “Maybe” — the spammer receives confirmation that the recipient’s account is real.

Eventually, the spammers can narrow down their computer-generated email lists to a potent database of verified accounts upon which a concentrated spam and phishing effort can be initiated. This is similar to how spammers refine their email databases, and it’s why many recommend disabling the Mail app’s ability to automatically load remote content in messages.

Putting the Spam Back in the Can

Thankfully, there’s a workaround — which we covered earlier this week — that can help you hide these spam Calendar invites without confirming your existence to the spammers. But this type of workaround is relatively clunky and isn’t a realistic long-term solution.

whack a mole

We don’t know exactly how Apple plans to tackle this issue, but we hope the company is employing a more robust strategy than simply deleting the spam accounts. Such an approach would represent an unwinnable game of whack-a-mole, and would be a disservice to the company’s users who currently have no real solution other than disabling their iCloud calendars.

Until Apple can provide more information, however, all users of iCloud Calendars, including those on Mac, iOS, and even users of third party apps that work with iCloud, such as Fantastical, should stay alert for these spam invites, and take the appropriate action if they receive any.

4 thoughts on “Apple Says It’s Working to Fight iCloud Calendar Spam

  • Thanks, – now could you please find a way to block THIS:
    Presidents have the power to text all Americans. Will Trump?
    – “Donald Trump, US president-elect and Twitter aficionado, will be able to send unblockable mobile alerts* to all Americans starting Jan. 20.”
    by Joan E. Solsman, CNET-Mobile – December 1, 2016

    *(“President-elect Donald Trump will have access to a system that can send unblockable texts to every phone in the US once he takes the oath of office.
    Wireless Emergency Alerts are part of a program created by a 2006 act of Congress. WEAs can be targeted messages sent to all mobile phones in a particular area, like Amber alerts, or to all phones nationally, like an alert issued by the president, according to a report by New York Magazine’s Select/All blog…
    …There’s no evidence to suggest Trump would use the system for anything other than it’s intended purpose despite a Twitter habit that borders on addiction. Trump used tweets and other social missives as a direct mouthpiece to his supporters, bolstering his campaign and circumventing traditional media that he sometimes claimed was treating him unfairly…
    … WEAs are limited to 90 characters, though! Trump will need to recalibrate from the 140-character Twitter standard if he wants to shoot all Americans an unblockable text.”)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.