Users are reporting spam messages and fake adverts on their calendars.
Many users have reported receiving spam messages and invites to fake Black Friday sales on their calendars when syncing iCloud. The spam, which seems to originate from Chinese users, is proving a hassle to get rid of. If you use a calendar for work, you’re likely already familiar with invites. They exist for all major backends, including Goodle Calendar, Microsoft Exhcange and Apple iCloud.
The invitation system is convenient: You only need a person’s email address to send an invite to an event. Unfortunately, it’s simplicity is also a weakness which allows it to be abused. The system doesn’t require you to be in the same group or company as the person you’re sending the invite to. To put it simply, it’s yet another inbox; and like a regular email inbox, it’s prone to spam. All it needs is for a few users to be sucked in by the deal on offer for the spammers to have an incentive to keep going.
There are a few ways to combat calendar spam. From the tech companies’ end, one solution is to introduce an invite rate cap. Most users won’t need to send more than at most a few hundred invites at once. If Apple limited the number of invites that could be sent in a given time period, perhaps to a few hundred, they could stop spammers without inconveniencing the legitimate users. Of course, a spammer could then simply create a second account. The tech companies could combat this too, by monitoring how many accounts originate from any one IP address.
On the user’s end, the options are a bit more limited. If you don’t use iCloud to sync your calendar, the obvious solution is to simply disable syncing of it. If that’s not an option, you can decline the invites. This will make them disappear, but a downside is that the spammer will be notified that you read the invite. This will confirm that your email address is a legitimate one that can be targeted further. Another option is to move your spam to a separate calendar and simply delete that. Be sure to select “delete and don’t notify” when prompted.