Spam via Google Calendar?

Discussion in 'Windows Vista Help' started by Graham Harrison, Jul 22, 2013.

  1. I'm running Vista with Outlook 2007. This morning I got a new calendar
    alert. I've since completely deleted it so I can't remember the precise
    wording of the alert. I never opened the item either in Google Calendar or
    Outlook (they sync together) but I'm pretty sure it was one of those
    Nigerian letters. I should perhaps add that I not long ago started using
    the BT/Yahoo mail app on a Galaxy S2 and I've also accessed Google Calendar
    from the S2.

    Has anyone had any experience of a calendar piece of spam? Which of the
    various apps and programs is most likely to be where the spammer got in to
    my calendar?
    Graham Harrison, Jul 22, 2013
    1. Advertisements

  2. Graham Harrison

    VanguardLH Guest

    Did you yet log into your Google account to check if you chose to
    *share* your calendar? I don't use Google's Calendar but perhaps
    sharing means others can add events to it.
    VanguardLH, Jul 22, 2013
    1. Advertisements

  3. I've just rechecked and NO, I don't share my calendar with anyone. What I
    do do is synch between Google Calendar their Android app and Outlook 2007.

    I'm not really worried about the fact that it happened. However aware I
    might be new things do happen. It's just that this is not something I've
    seen reported anywhere else so I was interested.
    Graham Harrison, Jul 22, 2013
  4. Graham Harrison

    VanguardLH Guest

    Since you didn't share your Google calendar (either public or with
    particular other users), and assuming it was spam as you claim (can't
    really tell since you never looked at it), then change your Google
    account's password. Also change the answers to the personal questions
    used by their "Forgot password" procedure since a hacker would already
    know those to get back into your account after you change the

    Without sharing the calendar or use of your Outlook profile, and if
    the event was not created by you, then someone else logged into your
    account to add the event. This time use a strong password. Make sure
    you don't use the same password at different sites. One site, a
    malicious or hacked one, might know your password there. If you use
    the same one everywhere then they can get into all your other
    accounts, too.

    Use a strong password and use a unique password for each account.
    Conversely, don't use weak passwords and don't share the same password
    across multiple accounts.
    VanguardLH, Jul 23, 2013
  5. I'm grateful for the advice but it doesn't answer the question.

    What I want to know is whether this is a known method of attack? It's not
    one I've experienced previously or even seen reference to and it doesn't
    seem to be something that the various anti spam/phishing/virus etc software
    takes account of.
    Graham Harrison, Jul 23, 2013
  6. Graham Harrison

    VanguardLH Guest

    It does answer the question *if* your account was hacked. Since there
    is no audit records available to you showing when you or someone else
    logged in, from where (IP address), and what actions were committed,
    you won't know if your account got hacked until you start getting
    complaints about spam originating from your account (where the
    Received headers show it came from your account and not the From or
    Rely-To headers that can be anything specified by the sender -- and a
    LOT of e-mail users haven't a clue that From does NOT dictate who is
    the sender but what the sender wants to claim as themself).
    I addressed a possiblity on HOW it could happen. No, hasn't happened
    to me but then I use strong passwords, unique passwords for each site,
    and don't use family names, addresses, soc sec nums, or other info on
    my that can be looked up for the secret security answer for the Forgot
    Password process. Luckily my local security is strong enough that
    I've not been afflicted with keyloggers. And I don't share my Windows
    profile with other users.

    As to your question of whether someone else has encountered Google
    Calendar spam, well, gee, you already know how to Google, right? calendar spam

    Hmm, looks like Google Calendar has a "feature" (flaw) in inviting
    "guests" (spammees) to an event. All they need is an e-mail address,
    and they have scripts to generate those along with sites to cull them
    and bots to harvest from Usenet.

    Is that your correct e-mail address that you weakly obfuscated in the
    From header of your posts here? You think spambots haven't already
    been coded to parse out "remove", "nospam", "noemail", and other
    common and weak phrases from e-mail strings? If your true e-mail
    address is edward<dot>harrison<one><at>btinternet<dot>com then the
    spambots already have your true e-mail address. The spammer can use
    their script to use your true e-mail address from their harvested hit
    list to invite you via an event they add to their calendar. Unless
    you disable it, you'll get invites from anyone in your calendar.

    In my Google search above, the first hit went to:

    It tells you how to configure your Google Calendar to avoid these
    public invites from getting into your calendar. Now would be a good
    time to go through all the settings for all the Google services that
    you use to make sure they are configured how you want instead of using
    the defaults.

    If you don't protect your e-mail address then expect it to get abused.
    Start looking into doling out aliases (not just forwarding addresses)
    to each recipient that wants one or anywhere it might get published.
    Make sure to use a unique alias each time you dole one out. If the
    alias identifies to whom the alias was given or where you used it then
    when it gets spammed then you know exactly who or where it got abused.
    And aliases won't be tied to any Google account. While I use the free
    Spamgourmet service to let me create aliases on-the-fly (I don't have
    to login to dole them out), there are other aliasing services (e.g.,
    Sneakemail). Don't bother with SpamMotel as they are nearly dead, are
    slow, and don't maintain their service. Don't use a forwarding
    service that merely redirects e-mails to your true account. Why not?
    Because when you reply, you will be replying using your real account
    and then the other party will know your e-mail address.
    VanguardLH, Jul 23, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.