The Gmail API can be used to create calendar invitations that will always appear in a user’s Google Workspace Calendar. The critical issue is that even if the user or Google’s own systems correctly identify the email invitation as spam and move it to the Spam folder, the event itself remains on the calendar.
This creates a dangerous situation. Users are left with unwanted events, and the only way to remove them is to interact with the invitation by declining it. This action sends a response to the spammer, validating the user’s email address and marking it as a prime target for further attacks. The system is essentially providing a validation service for spammers.
The API should not be a tool for abuse.
I implore you to rectify this. The solution is straightforward: when a calendar invitation email is moved to the Spam folder, any associated event in Google Workspace Calendar should be immediately and automatically deleted. Please address this critical issue before it is more widely exploited.
This is rather ridiculous that this has been left like this for years. The only reported solution is disabling automatically adding invites to the calendar, which is normally a useful feature. Add the option to block invites tagged as spam.
You know what’s even more ridiculous? After these spam calendar invites appearing on my calendar regularly for a month now, I just got a warning from Google Calendar: “Your calendar event might be in violation of Google Calendar policy”, so now MY account is getting dinged as a spam generator because some internal Google daemon is generating spam calendar invites sent to me!
This behavior is tied to how Calendar automatically processes meeting invites received via Gmail, including those sent through the Gmail API. Moving the email to Spam does not retroactively remove the calendar entry because the event is stored independently once parsed. For Workspace admins, you can adjust invite handling under Google Admin Console > Apps > Google Workspace > Calendar > Sharing settings by disabling “Automatically add invitations” or setting it to “Only if the sender is known.” This prevents unsolicited events from appearing without user confirmation.
For security concerns of this nature, it’s best to file a detailed report via the Google Bug Hunter program or the Workspace support channel with reproducible steps, so the product team can assess and address potential abuse vectors.