How can I stop a spam attack coming from my contact form?

Have more questions? Submit a request

50 Comments

  • Corrin Duque

    Thanks for this article.

    We have verified that the "Require CAPTCHA" is enabled but yesterday we suddenly started getting spam attacks in spite of this from multiple sources. All show the following: "not signed in when comment was submitted" and the tickets were all created via our Web Widget. (see second and third screen shots below)

    We never had this issue before.

    I see in the second point of this article it states the following:

    "If a ticket is submitted through a channel other than the web form, such as Twitter or email, details about the channel appear."

    This is the case for us (see first screen shot below). How do we fix this to block these spam tickets from getting created?

    0
  • Katie D.

    Hello Corrin,

    I'm an Advocate here at Zendesk. Thanks for mentioning this! I've gone ahead and created a ticket for you so that we may review this problem together. Please be on the lookout for ticket # 4649445 from me. 

    0
  • Bryan Edmonds

    We have the same issue as Corrin, and it started this last week. We've received dozens of emails with similar content and identical conditions. I've marked everyone of them as spam, but they continue to flow in. 

     

    We use a contact form on our site, and inquiries that come through it are identified as coming from the customer email, not "by web service."

     

    Sounds like some new leak for spammers to exploit. 

    0
  • Lisa Rousseau

    We are also getting the same issue. Started on Thursday/Friday. We have been marking as spam as well but still coming in. They are coming in from contact form on our site just like the other examples the others have mentioned. The same instagram related spam.

    0
  • Mike Bandy

    I can confirm that this is happening to our Support Desk as well. All of them are Instagram spam. We do have Require CAPTCHA checked but they still get through. We've gotten ~30 of these spam emails in the last 3 days from different users addressed to random names. Please do something about this.

    0
  • Ben Bos

    Same problem here. A lot of spam last 3 days. Captcha doesn't work in this case.

    All Instagram spam.

    0
  • Des B.

    We're also seeing an increase in the same Instagram spam over the last three days, Captcha enabled also.

    0
  • Kristyn A

    We're seeing the same issue as well. We started getting a bunch of spam messages about becoming an Instagram influencer on Thursday, and we also have captcha enabled.

    0
  • Adam Dragland

    Same thing here, a few dozen Instagram spam tickets a day. Anyone figure out a way to filter this stuff out?

    0
  • Ricardo

    Hello everyone,

    I have created a ticket for each one of you so we can troubleshoot further. Please take a look at your inbox. Thanks.

    0
  • Wouter van Gessel

    Same issue since yesterday (23 June 2019). We have about 25 spam tickets in our inbox now and still counting. All coming via the Web Widget. 

     

    We do have CAPTCHA turned on already... 

    0
  • Mike Bernhard

    We are having the exact same issue as everyone else. @Ricardo if you wouldn't mind creating a ticket for us too, I'd appreciate it. Thanks!

    0
  • Ricardo

    Hello, Mike and Wouter,

    I created a ticket for both of you too. Thanks

    0
  • Jeffrey Bocarsly

    We are suffering the same - the "Instagram" spam. As with many of the above, the problem occurs with the web widget, which is weak in terms of security (e.g., ignores the blacklist). There are no tools within zendesk to automatically mark tickets as spam, based on user-chosen criteria, either.

    0
  • Mike

    Same here, many "Instagram" spams exactly as the others above. 

    0
  • Bryan Edmonds

    I followed the instructions provided directly to me by Zendesk Support, and haven't seen any additional spam requests of this nature so far! 

    0
  • Meggan King

    This is happening to our account as well. It is the Instagram spam. Please create a ticket for me. 

    0
  • Mike Bandy

    The spam emails we get all have the tag web_widget. We're not even sure what page they're using to send in these tickets. We've tried testing using our contact form and this does not add the web_widget tag. Under Admin > Widget, we aren't even using it and is disabled.

    Following the instructions to add the condition and remove the placeholders did not resolve the issue as we got another email a few minutes after making these changes.

    1
  • Leia S

    We are experiencing the same "Instagram" issues with spam and have the CAPTCHA enabled on our account. Please create a ticket for me.

    0
  • Emily Rosenberg

    We are experiencing the same Instagram spam and are seeing the same web_widget tag behavior that Mike mentioned. I tested submitting a ticket and saw the captcha icon, but was not prompted to check a box for verification that I am not a robot. 

    The spam messages have been flowing in despite following the emailed instructions.

    0
  • Gil Emery

    This is happening to us for the past week or so as well.    same  web_widget tab etc

     

    0
  • Anthony Sabato

    We are seeing this issue as well. "Instagram" issues with spam and have the CAPTCHA enabled on our account.

    0
  • Mike Joseph

    Same issue here, too. About a dozen "instagram" spam messages per day. Started Wednesday/Thursday last week. They're listed as coming in via "Webservice".

    We've been marking them as spam, but it doesn't seem to help. CAPTCHA and spam protection are enabled.

    0
  • Laura Gaffney

    We are also having the same issues. CAPTCHA and spam protection are also enabled. 

    0
  • Flavien Charlon

    Same problem here with us. Dozens of spam tickets opened. They all have the "Webservice" channel listed.

    0
  • Brett - Community Manager

    @Mike, Flavien, Laura, I've generated a ticket on behalf of each of you so our Customer Advocacy team can dig into this further.

    I appreciate you bringing this to our attention!

    0
  • Gil Emery

    I was able to create a ticket on our  submit a request page in zendesk

     

    Even though  it shows this

     

     

    I was never prompted to enter anything to confirm my identify.   I am using Chrome

    Already a ticket created for me with this-- just giving you some information to help solve?

    1
  • Brett - Community Manager

    Thanks for sharing Gil!

    0
  • Katie D.

    I wanted to share the recommendations we have been making to customers within the tickets created from comments on this thread. To combat spam, we recommend removing placeholders from your “Notify requester of received request” trigger. If you have customized triggers, you’ll need to remove any of the placeholders that pass the comment or title content of the tickets to the end-user at ticket creation.

    Making these recommended changes will not immediately stop the spam, but it does stop the spam from being passed. The spam will stop over time. Please submit a ticket to us if you have any questions.
    support@zendesk.com

    Here’s an example of the changes you’ll need to make. In this example, I’m using the “Notify requester of received request” trigger:

    Add this condition under the ALL conditions:

    Current User, is, (End-user)

    In the Actions section, look at the “Email subject” and the “Email body” fields. Remove these two placeholders:

    {{ticket.title}}

    {{ticket.comments_formatted}}

     

     

    Removing the placeholders will prevent spammy notification emails from being sent out and will result in many fewer spammy tickets ending up in your account. This removal effectively stops the spam from being forwarded to the spammer’s target (the requester), though it may take a while for the messages to stop.

    With these changes, the need for the secondary trigger comes into play when you or your agents are creating tickets on behalf of requesters (sending out proactive emails, or any scenario where you need to send out a message on the creation of the ticket). When an agent creates the ticket, there is no risk to sending out the initial message. Creating this trigger will enable your end users to see the content of the agent-created ticket.

    Here are the needed conditions for this trigger, which we’ll call "Notify requester of agent-created request (Proactive Ticket)”:

    ALL conditions:

    Ticket, is, Created

    Status, is not, Solved

    Privacy, is, Ticket has public comments

    Current user, is not, (end-user)

    Actions:

    Email user, (requester)

    Email Subject:

    [Request Received] {{ticket.subject}}

    Email Body:

    A request {{ticket.id}} has been created by our staff!

    To add additional comments, please reply to this email.

    {{ticket.comments_formatted}}

     

     

    With these changes made, your account will no longer be an attractive target for spammers. After removing the placeholders, it may take a bit of time for the spammer to notice their content is no longer being passed, but removing the placeholders removes the motivation to spam your account. 

    For more information on spam prevention on other channels, see our resources here.

    https://support.zendesk.com/hc/en-us/articles/360002046548-Spam-prevention-resources 

    If you have any questions, please submit a ticket to support@zendesk.com, we are here to help.

    0
  • Richard Sloggett

    We are also being hit by this issue. Could you explain how these users are able to submit tickets to us through the web service without having to sign in?

    0

Please sign in to leave a comment.

Powered by Zendesk