Recognizing that calendar spam is a growing exploitation channel, CalConnect and the global anti-abuse association M³AAWG have joined forces to develop new methods to protect end-users from unsolicited and malicious event notices.  The new liaison between the scheduling developers’ organization and the Messaging, Malware and Mobile Anti-Abuse Working Group will accelerate industry efforts to develop techniques that block invites to fake events and other malicious notices on popular calendaring platforms.

Calendar spam is a new form of abuse that takes advantage of the application layer across multiple technologies, including scheduling, calendaring and messaging systems. For example, users have received fraudulent emails impersonating well-known brands that include calendar invites to special “discount” events.  As is the case with email spam, calendar spam can be used for malicious purposes such as phishing or to deliver malware payloads.

CalConnect (The Calendaring and Scheduling Consortium) also has established a new technical committee, TC CALSPAM, to better protect users from calendar system abuse. The committee aims to understand the current and potential use of calendar systems as a vector for delivering undesired information and will provide current information and guidelines on the topic to CalConnect and M³AAWG participants.

“Calendaring is an intimate part of everyone’s lives. Calendar spam is particularly unsettling because the abuse directly pops up on a person’s calendar.  It’s personally disruptive and especially disturbing,” said Thomas Schäfer, 1&1’s Head of Technical Site Management who chairs TC CALSPAM.

Differs from Other Abuse Schemes

CalConnect and M³AAWG will develop the measures and best practices for developers and system operators to ensure legitimate usage of their platforms.  The collaborative effort is important because calendar spam is unique as an abuse vector in a number of ways:

• Calendar spam, unlike email, can be placed chronologically anywhere in a calendar – in the past or the future, not just the present – making it difficult to detect at the time of delivery.
• Spam meeting invitations can be automatically added to calendars without the users’ consent with notifications sent to all their devices. These invitations are not only difficult to find but, in some cases, there is no way for the user to remove these events short of deleting the entire calendar.
• Calendar events and meeting invitations do not yet carry the rich provenance, i.e., the detailed header information that is included in email, making it difficult to ascertain where and when events originated and where they were delivered.
• Calendar events often contain notifications or alarms that are propagated across a user’s many desktop and mobile calendaring clients, exacerbating the problem.

M³AAWG Executive Director Jerry Upton said, “Calendar spam has shown itself to be a new but rapidly maturing vector for spammers.  As we’ve seen in addressing other abuse issues in M³AAWG, cross-domain problems like this require input from experts in multiple disciplines and collaborating with CalConnect and their subject matter is the most direct route to combatting this evolving threat.”

Call for Industry Participation

The reciprocal membership agreement between the two organizations became effective in February and allows the calendaring and scheduling developers, vendors and service providers in CalConnect and the messaging and email authentication experts in M³AAWG to share information and work.  CalConnect members participated in the M³AAWG 42^nd General Meeting in San Francisco in February, kicking off the joint work on applicable anti-abuse methodologies.  The 43^rd M³AAWG General Meeting will be held June 4-7 in Munich, Germany.

CalConnect President RutgerGeelen said, “We recognize that calendar spam is a real threat and a growing problem. First and foremost, we endeavor to protect users against such abuse. Since event and meeting invitations are often delivered via email, it makes sense to collaborate with the messaging identity and authentication experts at M³AAWG in our effort to return full control of collaboration and communications to the end users themselves.”