For a couple of months now, I've been getting spammy calendar notifications on my phone. Each of them is coming from Google Calendar itself, and they're all coming from my own calendar. Just like everybody else on the planet, I hate spam. So I poked around a bit.
When I opened my calendar, I found it was full of spammy events like this one...
So, had my Google account been compromised? Was somebody using my credentials to add these events? Nope. They were sending me email messages with calendar invites, and Gmail was automatically adding those calendar events, notification settings included, to my calendar. In many cases, I had never even seen the email messages involved. Maybe they were in my spam folder? (If so, that's pretty bad.) Maybe they weren't initially sent to my spam folder, but Gmail re-categorized them later after Calendar imported the event? (I've seen Gmail re-categorize things as spam after they hit my inbox, so this seems plausible.) Maybe it's a bug?
Thankfully, this was easy to fix. Simply open up Google Calendar settings (this was in the web interface, not sure if this setting exists in the mobile app), and uncheck this handy little box.
Of course, even though it's now fixed, I can't help but think that Google should clamp down on this, immediately. Options that make sense to me include:
- By default, don't automatically import events from Gmail. If I agree to attend the event, then add it.
- Only automatically import events from Gmail if the event comes from somebody in my contact list (or organization for work accounts).
- Don't import notification settings for automatically imported events.
It's even more important for Google to tackle this as quickly as possible because a a single spam message is capable of spamming you for eternity. If a less tech-savvy user gets one of these emails, and it sets up an event that recurs every week until the sun explodes, they'll be getting that spam notification forever. This is not OK.