Checking my schedule in iCal, I found an unexpected morning event called “Hello Dear.” Did my wife send me a geeky greeting? Double-clicking the event to learn more (because iCal under Leopard now requires a double-click, a frustration I keep meaning to write about but haven’t had the time) revealed that the event was most certainly not from my wife, but from some spammer promising that a large sum of cash is ready to be couriered to me.
What, now there’s spam in my iCal calendars?
Yes, courtesy of a preference in Apple’s Mail application that is no doubt intended to be a “feature.” Instead, it’s a vector for unwanted intrusion. Here’s what happened:
Yesterday I received a spam message that included an .ics file – a calendar event generated in this case by Google Calendar. The message was flagged as Junk and banished to the proper folder, but not before the .ics file was automatically passed to iCal, where the event was created.
For people who set up meetings and send reminders, this feature is clever. In iCal under Leopard, you double-click an event, click the Edit button, and then click the Add Attendees link to include the email addresses of people who should be notified of the event. When they receive the email message, Mail (or other software that can handle .ics attachments) sends the meeting information to iCal where the event is added. That way, for example, even if I missed the memo that TidBITS was having a staff meeting, it would still appear on my calendar.
But just as it’s a bad idea to allow Safari to open downloaded files automatically (see “Significant Safari Exploit Discovered,” 2007-09-07), this capability to create iCal events automatically is an invitation to wrongdoing. I don’t have the scripting chops to tell if such an event could do damage to your data, but at the very least it’s a nuisance and if lots of spammers started using this technique, all the spurious events could overwhelm your calendar.
Fortunately, there’s an easy fix: In Mail, go to Mail > Preferences and click the General icon (if it’s not already selected). From the “Add invitations to iCal” pop-up menu, choose Never. When a message containing an .ics attachment arrives, it won’t automatically be added to your calendar; you’ll need to double-click the attached file to do that.
Note, too, that iCal can subvert this choice. In iCal’s preferences, click the Advanced icon and make sure that “Automatically retrieve invitations from Mail” is also unchecked.
Although this wasn’t the case with the message I received, some events require a reply when you attempt to delete them. According to an Apple support discussion, you can disable Internet access and then delete the event, or install John Maisey’s donationware iCal Reply Checker.
I can see how automatic data handling can be convenient, but we’re at a point on the Internet where there’s no reason to leave open doors that shouldn’t be. At the very least, any event passed to iCal should be intercepted and presented to the user as a confirmation dialog.