The best automated scheduling software for you and everyone you meet
September 01, 2020
Product Updates

How Calendly protects your calendar from spam and abuse

How Calendly Protects Your Calendar from Bots and Spammers

By Caitlin Brett

The beauty of Calendly is the ability for your clients and colleagues to book time on your calendar in an intuitive, frictionless way. In just a few clicks, you can share your availability with anyone who needs to meet with you, and we don’t want to disrupt the flow of your business by requiring a tedious sign-in process.

As a result of such openness, however, we’ve had to take serious measures on the back end to mitigate spam events and abusive tactics. Here are a few of the ways Calendly works to protect your time from illegitimate bookings:

Stopping bots and abusers in their tracks

You’re undoubtedly familiar with reCAPTCHA, the pesky little challenge that requires you to check a box stating “I’m not a robot” before hitting the submit button on forms across the web. We won’t subject your invitees to that, but we do use reCAPTCHA’s newest and most sophisticated version, reCAPTCHA v3, which runs entirely in the background and requires no user interaction to weigh in on whether a visitor to your scheduling page is human or robot.

In addition to reCAPTCHA, we incorporate tools like CloudFlare to automatically prevent large request volumes—otherwise known as distributed denial-of-service (DDoS) attacks. These malicious attacks use networks of compromised computers and other devices to flood a site with connection requests, similar to thousands of cars jamming up a highway, preventing legitimate traffic from getting where it needs to go.

Preventing hackers from using Calendly as an attack vector

Calendly does many things on behalf of its users, including creating calendar invites and sending emails to invitees. Our customers’ reputation—and their productivity, of course—is paramount in everything we do. So we cannot allow Calendly to become a platform for sending spam.

To that end, we’ve created our own proprietary system that weighs dozens of important factors to systematically detect and block spam content. Along with reCAPTCHA, we also use data from E-HAWK to help evaluate spam. This custom-built solution allows us to tune parameters as needed and nimbly guard against abusers.

Monitoring borderline cases 24/7

All traffic is given a “score” by our system which allows us to outright block any activity with a high level of risky behavior or closely monitor activity that’s on the edge of being considered abusive. An attack that isn't automatically blocked will set off alarms to our on-call team and abuse prevention experts. Our team members around the globe keep a close eye on these monitors at all times, letting us step in and resolve attacks swiftly.

Reporting an event in the case of scheduling abuse

There may still be cases where an unexpected or unwanted meeting appears on your calendar. Sometimes these events come from confused humans who mean no harm; occasionally they might come from people who want to share details about their own product or company, or jam up your schedule on purpose.

If any event winds up in Calendly that shouldn’t have, you can click the “Report this event” link either on the email notification you receive for the event or in the Scheduled Events tab in Calendly. This cancels the meeting and reports the data to us so we can continue to improve our abuse prevention measures.

If you’re getting spammed…

There are several best practices we can recommend for setting up and using Calendly if you’re concerned about spam meetings.

  • Use advanced availability rules to set a limit for how far into the future an invitee can book with you or limit the number of bookings your calendar will accept each day.

  • Rather than sharing your full Calendly landing page, which displays all of your bookable event types, only share links that lead directly to a particular event type.

  • Be thoughtful about where you share your link. If your link is in an email signature, consider deleting it or using a different signature before sending an email to someone you wouldn’t want to book with you.

  • Provide single-use links when coordinating times with invitees that you don’t yet know or trust.

Continuing to improve

Calendly takes our customers’ time and productivity very seriously—and we’ll continue to hold abuse prevention sacrosanct as we grow and expand our products. From bots to attacks to accidental bookings, we’re always researching and testing methods to keep your calendar private and organized.

This article was written in collaboration with Brett Clanton, Application Architect.


Caitlin Brett

Caitlin Brett is a senior copywriter at Calendly and works from Decatur, Georgia, usually with a cat on her lap.

Product UpdatesIntroducing Workflows: your entire meeting lifecycle made easy

Learn about our new feature that automates confirmations, reminders, followups, and more.

Product UpdatesSee how Virtru increased their rate of demos scheduled from 30% to 60%

When sales reps are swamped with so many priorities, it’s easy for hot inbound leads..

Product UpdatesWhat is my Calendly link and where can I find it?

By now, you’ve set up your event types, but without sharing your link with customers...

Ready to get started?

85% of customers are ready to use Calendly in less than 1 hour.

The best automated scheduling software for you and everyone you meet

© 2020 Calendly

We take the work out of connecting with others so you can accomplish more.