Over the US Thanksgiving holiday weekend, my social media feed lit up with complaints from other Apple users about iCloud-related calendar spam. Here’s the thing: This isn’t a new problem. In fact, it’s been happening for months. So why hasn’t Apple said anything, and more importantly, why hasn’t it fixed it?
Apple’s recent operating systems all support “data detectors” which can scan and identify calendar invitations in your email and Messages. They’re actually quite clever. If your friend asks you to lunch a week from next Tuesday or your boss sends an email asking you to a planning meeting on Wednesday at 2PM, data detectors are smart enough to understand and can attempt to populate your calendar with the appropriate info. Under ideal circumstances, this is a frictionless system that just makes it easier for you to get work done instead of having to fire up apps to make sure you get everything written down.
Here’s the problem: this same mechanism enables spammers to hit you up with ads for fake sunglasses, boots and other gear. They send these ads to your iCloud email address as calendar invitations. Your Apple device doesn’t discriminate between these invitations and legitimate ones from friends and coworkers.
What’s worse, there isn’t a built-in mechanism to delete these invitations without responding to them. You can ignore them, but they’ll hang out on your calendar indefinitely. If you accept or decline the invitation, the spammer receives an email response. That lets them know your email address is live, which makes it likely you’ll get spammed again in the future.
The correct action, according to reports from various Apple–related blog sites, is to create a new calendar, drag the invitation to the new calendar then delete that calendar. That deletes the instance of the invitation without responding back to the spammer.
To help prevent the problem from happening again, you can also sign into iCloud.com, open your Calendar, then change the advanced setting “Receive event invitations as” from “in-app notifications” to “email to.” Invites will appear as email, which you can delete like you do with other incoming spam.
This multi-step process is awkward, nonintuitive, and difficult for people who know what they’re doing. The vast majority of iCloud account users don’t have the faintest idea what to do. It is, quite frankly, an astonishingly stupid, inelegant workaround for what appears to be a glaring security hole in Apple’s data detection scheme.
If this were a new behavior that just popped up over the weekend, I would be willing to grant Apple a pass on this. But it isn’t. I’ve seen the problem pop up occasionally on a relative’s iCloud account since the summer. Reports of this have been going on for months and Apple has done absolutely nothing to fix the problem. They are certainly aware of it, and have been for a very long time.
To date, Apple still has not acknowledged the problem officially to any website nor have they posted anything to their own knowledge base. There’s plenty of chatter on Apple’s discussion boards, but those are user–led discussions. We should hold Apple’s feet to the fire to make sure a more permanent and effective solution is put in place as soon as possible because this is unacceptable.