Archived Blog

Meeting Reminder: It's Spam O'Clock!

05.02.2008 - 3:45 PM

Recently, Websense Security Labs has become aware of an increasing trend in the number of spam emails being sent that are viewed by many mail clients as meeting invitations. This is not necessarily a new thing, but it's been becoming more and more common, as has been reported by others like The Washington Post and ISC. Some noticeable problems with the way many mail clients handle these requests are becoming more apparent and easier to identify as the trend increases, and the purpose of this blog is to go over some of these problems in finer detail.

The most obvious and noticeable problem this causes is that, in many email/calendar clients, under default configurations, these invitations actually get added to the calendar of the user who receives the spam, unless they specifically decline the request. Below, we will go through a brief analysis of how these requests work and how a few different clients handle the messages.

First, it should be pointed out that, while some email systems like GMail/Google Calendar and a compatible version of Outlook handle meeting requests as a different type of message specific to meetings, many email systems handle them as normal emails sent with particularly formatted attachments that follow a standard known as iCalendar. Applications that support these sorts of attachments are common, with most of the major email clients -- which also have some sort of calendar integration -- supporting them in some way, including Microsoft Outlook, Mozilla Calendar (as well as Sunbird and Lightning), and Apple's iCal. Confusingly, iCal is also an abbreviated name for this standard, though the two are not related in any more than the fact that Apple's iCal application supports a variation of the format. Even some web-based clients, like GMail, support these messages. By the standard, these files are plain text, UTF-8 encoded files with an extension such as .ical, .ics, etc., though this can vary from one implementation to another.

In general, these sorts of attachments would not really be a problem, except that in some applications with default settings they are processed in ways that allow a spammer, or potentially a malicious attacker, to use methods for delivering their content that are not so commonly seen or as easily recognized by users as junk or malicious content. Many users have learned that it's bad to click on links in emails, but it's less frequent for them to be told not to click on links in meeting requests, or in the body of the meetings in their calendars!

For an example of some of the default behaviors for these files, I'll walk through a proof-of-concept on how two clients -- GMail integrated with Google Calendar, and Microsoft Outlook -- handle these requests. In doing so, I will use two Gmail/Google Calendar accounts (which I will refer to as the 'sender account' and the 'Gmail target') and one Outlook account ('Outlook target').

First, in the Gmail sender account, I set up a meeting that occurs every day, and contains a phishing link that, if I were trying to phish someone or get them to click on a malicious link, I might spam out. I add the other two accounts (gmail target and outlook target) as additional attendees of the meeting, and then send the invitation. When Google Calendar asks if I want to send this request to the other attendees, I say yes.

I then log into the Gmail target account, and go to my Google Calendar. I haven't, at this point, even viewed the Gmail inbox for the target account, let alone opened the email that got sent, and already the meeting shows up in that account's Google Calendar, every day, forever. Not only that, but when I view it, it already has default settings there to remind me via all available notification methods 1 day in advance. This even includes, since it was enabled on this account, SMS notifications. There's also the fake phishing link that I included.

Next, I go to look at the Outlook target account that I sent the invitation to. At first, the invitation shows up in the account's inbox but doesn't immediately show up in the calendar. So, at least in this case, I won't automatically get spammed every day with reminders without having interacted in any way with the invitation.

The problem here comes up when I open the email in my inbox that contains the invitation. Before I've made any decision about whether I want to accept or deny the invitation, Outlook blocks the time off in my calendar (every day, forever, again, since that's when the invitation says it's supposed to occur). It sets this time as 'tentative', and it does put reminders in there according to my default settings.

In both email target clients, if I view the email that got sent to me for the request, and close it without deleting it, the events remain on my calendar and continue to send me repeated notifications about it, on a daily basis.

In Google Calendar, even if I delete the email from my inbox it remains on my calendar, until such a time as I specifically delete the series. Even if I use the client's built-in functionality to decline the event, but don't delete it, it remains on the calendar and remains marked as 'busy' time until I delete it.

In Outlook, as soon as the email with the invitation is deleted, the event is removed from the calendar. The same happens if the invitation is declined. Unfortunately, the default behavior for Outlook is to send a notification to the sender of the invitation about the fact that the request was declined. Though there is generally a prompt before this is done, it can be habit to just do so. In the case of spam, this tells the spammer that the email address is active, used, and that the request that they sent was likely to have been viewed. Declining the request like this is likely to result in more spam being sent in the future, since it's essentially providing confirmation to the spammer that the address is a valid one.

There are, of course, many other applications out there that use these invitations, and they likely do so in a variety of ways. There are likely to be some that behave in more desirable ways, and some that behave in less desirable ways, and the whole spectrum in between. Though this analysis only covers two, it does so in order to show some problems with the way applications may handle these requests, and to give an awareness of the fact that these problems are possible. Users should be made aware that this is possible, regardless of what applications they might be using that could be spammed or attacked using these techniques. They should be educated that, just because they may be seeing a meeting request and not an email, doesn't mean that it's any safer to click on links.

Security Researcher: Evelyn Scidmore

 

Bookmark This Post: