April 22, 2008 at 8:00 AM ET
Thank goodness the reminder popped up at 9:15 a.m., just a few minutes before my "meeting." Otherwise, I might have forgotten to claim my winnings.
"[Invitation] CLAIM PRIZE," the meeting reminder said. And when I opened the appointment, I was reminded of my good fortune. "Attn: Winner, We wish to congratulate you over your email success in our AMSTEL LOTTO balloting. ... You have been approve for the star prize of Euro 750,000."
I've received several such meeting invitations in recent days, and so have e-mail users across the Internet. Combine two of your least-favorite things -- unwanted meeting invitations and spam -- and you've got a major new Net nuisance. Computer security folks have taken to calling it "calendar spam."
Calendar spam arrives like any other spam – as an unwanted e-mail. But here's the problem: it also shows up as a meeting. That means the time specified on the spam will be blocked off on your online calendar, triggering an annoying reminder at the appointed hour. If you're a spammer, that's a major upgrade over your usual silent forays into consumers' junk mail folders.
Making matters worse, ignoring calendar spam doesn't make it go away. Because of the way Microsoft Outlook and Google calendars work, unanswered calendar spam will usually shove its way onto your calendar.
While the technique first appeared about a year ago, it didn't become commonplace until a couple of weeks ago. Now, in the words of Message Labs researcher Alex Shipp, "We are seeing these by the truck load."
That means if you haven't seen them yet, you will.
So far, the messages aren't dangerous -- simply the usual fare featuring invitations to get burned in a Nigerian scam, announcements of fake lottery winnings and the like. While the spam I've received only hits Microsoft and Google calendars, other users report that their Yahoo calendars also have been attacked.
The spam is particularly effective because of the way scheduling software works. It's designed to give other people access to your schedule. When recipients get an invitation to a meeting, the time is immediately blocked out while the system waits for an answer. That makes sense from an organizational perspective, to avoid overlapping meeting invitations. If the meeting request is simply ignored, the time is still listed as tentative.
"It's by design," said David Cowings, a researcher at Symantec Corp. "Anything that's not in the deleted folder shows up as an unaccepted meeting."
Cowings said there's been a sharp increase in calendar spam complaints in recent weeks, but there's no sign of a massive outbreak. He's concerned, however, that the technique could catch on. "It has potential," he said. "It's so effective because of the widespread use of Microsoft Exchange."
He's also concerned that new versions of the spam could include malicious payloads such as computer viruses.
RED TAPE WRESTLING TIPS
Coming up with generic advice for handing calendar spam isn't easy. Google has posted specific instructions for changing the way its software handles unaccepted invitations, which helps.
Microsoft Outlook users have several options, but none are ideal. There are instructions on Microsoft's site for turning off automatic acceptance of meeting requests, but that's doesn't keep spam invitations off the calendar as "tentative" meetings.
A better method, says Cowings, is to have your Outlook Exchange administrator set up filters to turn away all meeting invitations that come from outside your domain.
In the meantime, the best advice is to ignore the invitation e-mail and delete the meeting if it shows up on your calendar. Deleting the invitation e-mail without opening it should work in most cases. You might be inclined to open the invitation and decline the meeting, but that's a no-no -- it's never a good idea to open anything unexpected from a stranger.