Drew Reece wrote:
krisalis903 wrote:
My calendars are uniquely named though and I still get invites, especially my default calendar. Granted they're not random alphanumeric characters, but they're unique enough to where I know what the purpose of each one is, especially the default calendar. Even my boyfriend received his first one last week and he never uses iCal at all.
I'm also suspicious of the claim made by grolaw.
Lets presume that it is possible to send an invite to a specific calendar - how come iCal/ Calendars on OS X or calendars on iOS do not have that option? iCloud is also unable to email an event to a specific calendar. If Apple have created that ability why are spammers the only one ones who can use use it?
I believe any 'default' calendar can get events from email even if it is named something totally random. You can test this all yourself by sending events to your own email address, if you have multiple accounts (or ask a friend to send a dummy invitation).
I think that this issue is made confusing by the fact that multiple places can be setup to add events automatically. e.g. Mail.app on mac OS and iCloud.com settings.
I'm also suspicious of the claim made by grolaw.
It is not "a claim" it is an observation that may well prove to be false, or true.
I have been using the iCal system since .Mac days and have a custom-written docketing front-end for my practice. The majority of my calendars are named after the client and the docket number. They are things like smith_CV2016-1224-DWS where smith is the client's last name, the case number (CV= Civil, 2016 = year filed), 1224 the number that the court assigns to the case (typically, the 1224th case filed that year) and the three initials are those of the judge assigned to the case.
I have dozens of active cases, hundreds of former cases (archived), and I just received the first iCal Spam - and I posted two screen shots. I rather doubt that there is any way for a random guess, or a dictionary attack, to hit a calendar named the way that mine are named. I cannot turn of automatic notifications where my staff and co-counsel use the same calendar to update the case.
I have had just the one hit - on a default calendar name. I have had that hit only on one of my Apple ID accounts (I have more than 10). Yes, it hit on the most active / central account - but: it IS the most active account.
From my screen capture:
The whited out email addresses all have the first three characters in common with my account. It is obvious that the iCal spammer has a list of iCloud email / iCal accounts from this list, alone.
I've killed Home and Work - If an invite comes to smith_CV2016-1224-DWS (not a real case) then I expect that harvesting of accounts is taking place. I created that iCal account on a different Apple ID on a 2012 Mini that is a dedicated scanner station. Let's see if a feedback answer "honeypot" draws any invites.
Meanwhile, this is a greatly annoying hack/exploit and it has the potential to make the entire iCal system useless if this follows the standard SPAM trend of increasing the kind, type, and number of these worthless pieces of data.
Imagine what could be done? In this day and age the calendar notices and links could easily lead the unwary into ransom ware or worse. (Worse would be images and messages that are inappropriate - or, so many that constant notices are a DNS.)
