Spam vector
The Gmail API can be used to create calendar invitations that will always appear in a user’s Google Workspace Calendar. The critical issue is that even if the user or Google’s own systems correctly identify the email invitation as spam and move it to the Spam folder, the event itself remains on the calendar.
This creates a dangerous situation. Users are left with unwanted events, and the only way to remove them is to interact with the invitation by declining it. This action sends a response to the spammer, validating the user’s email address and marking it as a prime target for further attacks. The system is essentially providing a validation service for spammers.
The API should not be a tool for abuse.
I implore you to rectify this. The solution is straightforward: when a calendar invitation email is moved to the Spam folder, any associated event in Google Workspace Calendar should be immediately and automatically deleted. Please address this critical issue before it is more widely exploited.