Calendar import google auto set to spam past appointment invitees

Posted on #nextcloud on freenode irc

[15:12:36] just setting up nextcloud on a freebsd server today, and made a test user account and imported some account data from a google account. I imported a calendar and while importing the calendar nextcloud started to notify contacts for past appointments…
[15:12:45] nextcloud 11.0 stable
[15:13:26] shutdown the postfix service and will remove the queue but guys this is quite an oversight…
[15:17:54] That sounds like a good github issue
[15:18:18] I’m a little surprised it doesn’t check whether the date of an appointment is in the past before sending a notification
[15:18:43] there is about 10 years of google appointments getting mailed out to contacts
[15:18:52] import not yet complete
[15:19:07] pretty stunning oversight
[15:20:50] also as the user has not yet defined an email address the mail is going to the postmaster for the domain rofl…
[15:22:07] so basically the calendar app upon import even without a user defining an email address sends out mail via an imagined user/email address named after the site name @ the config domain name

Update 1

X-PHP-Originating-Script: 80:SimpleMailInvoker.php

you guys gotta patch this asap
There should be no immediate outbound mail triggered by importing data from outside data source. The import was not even half way through and the mails were flying out…

your calendar app sent out emails to 10 years of google calendar invitees… really?

It’s so carelessly coded spammers can use this flaw actually…


GitHub Issue

1 Like

Thanks for reporting this issue. In the meantime it was moved to the server repo: