Spam via Web Widget

23 Kommentare

  • Offizieller Kommentar
    Ryan W

    We've recently made the change that adding a modifier to your blacklist will extend it to work regardless of channel.

    For suspension, you could do the following: or reject:spammy_email

    This is recorded in our article on the feature itself (last example at the bottom):
    Using the whitelist and blacklist to control access to Zendesk Support

    Please let us know in a ticket if you have any additional questions or concerns surrounding this specific ask.

    As for any present spam issues --- Please open a ticket if you are experiencing a lot of spam -- our advocates are able to help out with that, or get to our Anti-Abuse team for further investigations.

  • Thomas Verschoren
    Community Moderator

    One quick and dirty work around:

    1. Create an organisation named SPAM
    2. Add all blacklisted domains to the organisation, with a space between each domain.
    3. Create a trigger: IF ticket is created and organization is SPAM: , then close the ticket and add a tag SPAM

    It does not prevent tickets from being created but it hides them from agents + the added tag makes it possible to filter them from Explore reporting.

  • Peter Hochstrasser

    Hi Thomas

    My solution uses the organization spammer, the rest is exactly the same. Thanks for sharing.

    Drawback is that it counts them into the totals, too.

    Yours truly


  • Klaus Even Enevoldsen

    We get the same SPAM all the time and I don't understand how it can be sent using the web widget as access to our site is protected by username and password.

  • Devan - Community Manager
    Zendesk Community Team

    Hello Klaus,

    So when it comes to spam and protecting yourself from it, I would recommend looking into this article on implementing some of our best practices.

    How can I stop spam attacks? 

    Best regards.

  • Klaus Even Enevoldsen

    Hello Devan,

    Thank you. Yes, I did that. The problem though is that the SPAM originates from the Web Widget and not from the contact form.

    Best regards.

  • Jack

    Same problem here. The ticket all showing coming Web Widget under Channel. Not from API or Chat widget.

    I can not even duplicate that and adding the's email domain under blacklist does not help. 

    How are the spammer is doing it through Web Widget? 

  • Trapta
    Community Moderator

    Hi @Jack, take a look at this post:

    Let us know if this solves the issue.


  • Tom

    Trapta, Devan - Community Manager

    Blacklisting does NOT resolve this issue. is correctly blacklisted ( under Settings > Customers and yet spam tickets are still being created.

    Previously these were coming through the Web Widget but now they're coming through "Via Mobile SDK". I want to be super clear here: We do not use the Mobile SDK, have never used it, and have not agreed to your licence agreements for it.

    Besides the obvious spam problems, the secondary problem is noise in the Explore reports. If the domain is blacklisted we can't place them in an organization to filter them out from our overall reports, and even if they are filtered they still count towards our ticket count totals.

    This is a major issue for us.

  • Peter Hochstrasser

    Hi @Trapta, @Devan

    As Tom points out, your vision on this seems to be incomplete here: You do not use the e-mail blacklist to verify entries from any other channels. Even if they enter their e-mail address in the Web Widget, the address is not scanned and recognized as from a blacklisted domain. That is one of the problems, as I pointed out in the main entry above.



  • Thomas Verschoren
    Community Moderator


    We see this also with MULTIPLE clients:

    They get spam via widget or mobile SDK but have NEITHER channel enabled. is one for example, same with other chinese or russian (or seemingly) locales.

  • Peter Hochstrasser

    Regarding the solution outlined above: There is one additional, unexpected drawback:

    While Zendesk does not check e-Mail addresses from other channels against their blacklist, they DO check the mail domains assigned to Organizations against their blacklist...

    Result: You cannot blacklist a domain that is assigned to an Organization.

    So, while Zendesk delivers a one-channel-only solution, we (Thomas and myself) have outlined above a working solution which works around Zendesk, for any channel you like.

    Dear Zendesk Development: Please complete your vision:

    • Please make blacklisting work in all channels where the information is applicable, and
    • Please make the error which does not allow to add a domain to the blacklist if it belongs to an organization a warning.

    Thank you for listening and acting.


  • Martin E. Koch

    Thomas Verschoren


    for the last 24h we also received like 200 spam messages which are tagged with web_widget

    I can not see that we have the web widget enabled, our site always requires a login. 

    Aslo a change to force captcha did not work. I find this is something Zendesk should better filter

    and better show debug info in the event view of the case (like URI which was used and the remote

    ip of the system filing the request).


    Is there a known new issue? We never had issues before.

  • Shane Farley

    We had the same happen as Martin (above) did apparently. About 200 emails came in through this past weekend with a "webwidget" tag and I don't know how to stop it, but it seems to have stopped on it's own for now. Also, the Zendesk "suspicious activity" filter should have picked this up earlier than 167 emails. I think I want to modify that setting, at the very least. 

    If any ways to block the web widget (which I don't believe we are using right now), I would be interested.


  • Brett - Community Manager
    Zendesk Community Team

    Hey Martin,

    This was indeed a known issue that our team is currently looking into. I've checked and there have been reports of the issue now being resolved.

    Can you confirm whether or not you're still experiencing issues on your end?

    @Shane you could create a trigger that automatically closes any ticket that has the web_widget tag added to it. You can use the following:

    Meets all of the following conditions:

    Ticket > is > created
    Tags > contains at least one of the following > web_widget


    Status > Closed

    Let me know if you have any other questions!

  • Martin E. Koch

    Hello Brett - Community Manager


    thank you for the follow up. Yes, the problem is currently not occurring. It only seem to have happened

    during sunday 00:02 CET till 22:53 CET. I could not find any before or after this timeframe.


    It would be good to know as Shane Farley also asked how to block or even access this web_widget

    and also get some conclusion what happened and how to prevent it.

  • DavidC.Soliday

    We had the same problem in early January, upon returning from our holiday break. I went in and disabled our web widget and help guide then.

    This morning we had another web_widget tagged new ticket, with some random email address as the requester. This is the first I've seen this support discussion thread, and learned that other clients are also getting spam tickets through unknown channels. That's disturbing, to say the least.

    I've created the trigger that Brett suggested, but that sure seems more like a band-aid than a solution. It'll be interesting to check the web_widget tag in another month, to see if there are any more in there.

  • Martin E. Koch

    Hello DavidC.Soliday / Brett - Community Manager


    yes, we had two webwidget spam messages today again as well.


    (and also some email spam some days ago).


    It would be great if that would get addressed by Zendesk.

  • Martin E. Koch

    and we received more web_widget spam messages, .... 

  • Ryan W

    Hey Martin E. Koch,

    Were you able to make the changes found in Combating spam via webservice ? Taking these steps will remove incentive for spammers to target you. 

    If you continue to have spam issues, please submit a ticket using the "Get Help" web widget in the bottom right corner of our support help center. Within that ticket we will be glad to assist.

  • Martin E. Koch

    Hello Ryan, 


    I am not sure what your role is, at least by your Profile you do not seem to be from Zendesk.

    Further it is not even possible to @ mention you here as "Ryan" is a to generic name and the amount of

    people showing up in the dialog to select persons are limited and you do not show up in the ones I can see.


    Anyhow, as I agree that it removes the incentice it also removes the information which I find handy

    to have in a case open confirmation.


    Worse, here it seems to be a open function where external spammers can post via some

    "web_widget" where at least I have not seen an info what that channel even is.

    So if zendesk could answer on what it is, why spam was in between not coming through 

    and then suddenly appeared again.

    So how can you either disable the web widget, what functions require it and what goes on here.

  • Peter Hochstrasser

    Hello Ryan

    Thanks, will give it a spin and report.

    As Martin indicated, would be nice to have a bit more than just Ryan to @mention you.


    Martin E. Koch: Ryan has that little circle in the lower right corner of his photo which indicates that he is from the inside, i.e. in roles Agent or Administrator. This is also supported by him adding a "official comment".

    Looking at his comments in his profile, I have been able to deduct that he knows a lot in this area and comments frequently on this type of problem.


    Yours truly


  • Ryan W

    Hey Martin E. Koch and Peter Hochstrasser,

    Apologies for the vague name. I deal with a lot of the "unfriendly" sides of things, and have ran into some less than optimal situations before, so I reduced my name to minimize that -- I will look to add something more to it shortly as I agree, its not the best as it stands.


    Martin E. Koch -- The web_widget spam you're seeing is indeed coming in via API. You're seeing a "replay" of what a webwidget sends. We're looking at ways to improve this to prevent this misdirection (as well as spam prevention from those channels in general). I don't have anything anything specific to give you at this time, but please know we're absolutely looking into this problem altogether, but it will take time to get there. I wish I had a quick and holistic fix for you at this very moment, but unfortunately I don't. I realize this is likely not the answer you're hoping for. Please write in if you're still having issues after following the instructions on that article.

    Let me know if you have any additional questions or concerns.


Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.

Powered by Zendesk