Combating spam submitted via web service

Have more questions? Submit a request

84 Comments

  • Jonathan March
    Comment actions Permalink

    Zendesk, could you please clarify how it's possible for a malefactor to use the API without having possession of an API Token?

    >  If you view the events of the spam ticket (see Viewing all events of a ticket) and look to the very bottom of the page, you’ll see that it was submitted via Web Service. This indicates it was created via API

    2
  • Ryan W
    Comment actions Permalink

    Hey Jonathan March

    While it is through API, it is through the Requests Endpoint, which does allow anonymous requests (https://developer.zendesk.com/rest_api/docs/support/requests#create-request)

    Presently, this is used for the submit a request form and Web widget (which both handles anonymous requests), but does not require them to be used.

    0
  • Jonathan March
    Comment actions Permalink

    Many thanks for the info Ryan, makes sense.

    Zendesk, since we have the captcha safeguard for anonymous tickets submitted from a web form, it seems that it would be useful to support another setting to disable anonymous tickets submitted directly from the API. (I recognize that this would probably be non-trivial to implement!)

    2
  • Jonathan L
    Comment actions Permalink

    Can we have an update from Zendesk please? I find the lack of action when it comes to the security of the API and the damage this is causing to businesses reputation disgusting.

    This weakness in the API has been abused for over 7 months, tonight I received 15 more tickets all spam orientated sent from the web api.

    I'm seriously considering just moving to another supplier, the ZD support agent sent me a message saying that hes closing the ticket as the problem has gone away. I mean if I said that to my clients I wouldn't stay in business for long.

    The temp (Community) solution leaves genuine customers who submit tickets unable to see the information they sent in the original request, this is not good enough!

    0
  • Sheryl T
    Comment actions Permalink

    Jonathan L - just exclude a few key words from the spam message from your Notify Requester of Received Request message, and that should do it.  I haven't had any more spam since very early Monday morning.

    0
  • Donato Dileo
    Comment actions Permalink

    Hi Guys,

    is it know issue right? Why the Support seems not aware about that and reply to change trigger and we've clarified that the trigger doesn't fix the issue?

    Please let me know

     

    0
  • Ryan W
    Comment actions Permalink

    Hey Donato Dileo , Changing the  ticket creation trigger so it cannot be used as an Open mail relay does indeed prevent your email and account from being used as a conduit for spam. The spammers who are affecting your account will no longer have any incentive to target you.  You are correct -- It doesn't prevent the tickets from being created, but it helps to not make your account a target. This is the best solution to avoid spam.

    Jonathan L I'll be glad to look into that ticket for you, and reach out to you again. To clarify, you are more than welcome to keep your placeholders within your ticket updates (so, on a reply, they would receive the entire thread again) -- Keeping the ability to relay spam, regardless of channel, leaves you vulnerable with this configuration. Changing it as the instructions state will help, and be a minimal change. Write into support and look at the Message you receive from us -- Feel free to use that as a template.

    Jonathan March Thanks for that -- I've noted your feedback and am doing my best to relay it to that right people. Please know we're looking into a well rounded solution, but there unfortunately isn't a quick and easy answer. I will update this comment thread if I have any news -- otherwise feel free to write in and we should be able to provide some information.


    2
  • Jonathan L
    Comment actions Permalink

    Ok I clearly need some help here, our support desk is completely unusable, I made all the changes suggested last week, we have received over 2000 tickets, many in Russian that we cannot stop, our team is at breaking point and we have no idea what to do... many don’t get picked up as spam and the fields are all removed.

    Can someone call me from Zendesk please, my ticket still awaits an update since late last week.

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey Jonathan,

    Thanks for the heads up! I'll reach out to our Advocacy team to see if we can get an update out to you on your ticket.

    Appreciate you bringing this to our attention!

    0
  • Ryan W
    Comment actions Permalink

    Hey Jonathan L -- I apologize for not reaching out on that ticket - Could you doublecheck to ensure you've edited the right triggers? This has shown very effective on other accounts which have done so. 

    A good way to check is to go into the Events page of the ticket itself to see which triggers have fired:
    https://support.zendesk.com/hc/en-us/articles/203691176-Viewing-all-events-of-a-ticket#topic_wrp_3wn_scb

    The Trigger would be the Notify Requester of Received Request trigger. If you have a newer account (one created within the last year), this should not apply to you (see what default triggers NOW look like HERE, circa ~1 year since time of this post).
     

    I believe all plan levels are able to edit any existing trigger (though there is some restrictions around creating additional ones), so you should be able to do so.

    Additionally, if any of the domains you see are not ones you would want or expect mail from, adding them to your blacklist with "suspend:" or "reject:" prepended to them will block or suspend for these API tickets (Note: without these modifiers, only the email channel will suspend tickets from them).

    Lastly, if you could clarify the account of yours within your ticket that would be great. I am not able to match anywhere close to the numbers you're stating in your posts, and want to make sure we're getting the correct account sorted out. (Don't post it here! Just your ticket).
     

    0
  • Dave Dezellem
    Comment actions Permalink

    Hi Since this past weekend (1-11) we have been getting hit by a bot attack.  I have followed the steps above and the attack is continuing.

    I have added some of the domains  to the blacklist but we continue to get tickets from those domains as well as new ones.  

    They have been coming in from our widget as well as web forms.  I have had to turned off our widget because we've been unable to keep up on the spam.

    Any help would be appreciated 

     

    0
  • Sheryl T
    Comment actions Permalink

    Dave Dezellem - Open a ticket with ZenDesk so they can look at your account and respond to you directly.  Meanwhile, you can create a view for the spam tickets so that you can then just mark them as spam and delete periodically.  Use key words from your spam tickets to create the view.  Hope this helps.

    0
  • Dave Dezellem
    Comment actions Permalink

    Hi Sheryl,

    Thanks. I had created trigger to pull  and solve the tickets, that worked until they changed the subject line...

    Just updated that so short term fix is in place again.  I'll reach out to ZD and open a ticket for a long term fix, seems to be an ongoing issue that we avoid until now.

     

    0
  • Sheryl T
    Comment actions Permalink

    Dave Dezellem - I would not mark tickets as Solved when they are spam!  That will skew your statistics and probably also sends a message to the email account on the ticket which will forward the spam yet again. For your view, use words from the body of the message, not the subject line.  There are several words in those emails that are consistent even when they change the message.

    0
  • Dave Dezellem
    Comment actions Permalink

    Hi Sheryl,

     

    Thanks, I've updated the trigger.  Knock on wood as of this morning we haven't had any attacks.  Hopefully they have moved on.

    1
  • Scott
    Comment actions Permalink

    Dave Dezellem:

    Filtering out spam via content had mixed results for me b/c spammers change their wording up, but I found something that works:

    Kill anything coming from Zendesk's API.

    If you're not using Zendesk's API for creating tickets, I've found that you can just filter new tickets by their "Channel". I just set mine to stop anything tickets that come to us from via "Web Services (API)" and the spam ended shortly thereafter.

    Here's how my filter conditions were set:

     

    This still allows all of the other channels (e.g. email, website, chat, social media, & embedded web widget) to work. Since we're not using that Web Services API, it works great for us.

    Hope that helps someone!

    -Scott

     

    PS: Make sure your filter is the FIRST TRIGGER in the list of triggers!

    0
  • Patrick Townley
    Comment actions Permalink

    Dave Dezellem chiming in to confirm I took the same tactic and it stopped the spam within a day.

    I set it to solved immediately and made sure all my our email notification triggers ignored it based on status/tag.  Might mess up your stats temporarily but after that the spam should stop.

     

    Obviously not great if you have integrations submitting tickets via that API endpoint, but if not it's perfect!

    0
  • Jonathan March
    Comment actions Permalink

    Patrick Townley

    Similar to yesterday's comment by  Sheryl T , I would recommend NOT setting to solved, but rather moving to a Spam Holding group. Then periodically select everything in that group and explicitly report it as spam. This will delete the tickets (avoiding skewing your stats) and report them to ZD as spam which at least in theory could have an impact on their spam filters at some point.

    2
  • Sheryl T
    Comment actions Permalink

    Happy to hear that, Dave Dezellem!  Knocking on wood for you. :-)

    0
  • TonyLarson
    Comment actions Permalink

    I used a combination of Scott and Jonathan's tactics above to eliminate our issues without the need to permanently modify our end user 'notify requester' trigger. Our users are accustomed to seeing their request content in the ticket receipt, so I wanted to avoid adjusting that. 

    Instead, since we do not utilize the API, I have a top line trigger that places tickets submitted via the API into a group that only I monitor, and have set the 'notify requester' trigger to ignore anything in that group. No notifications will go out to any tickets submitted via the API, so presumably the spammers are no longer interested. This eliminated the spam right away. 

    That said, this solution is problematic for anybody using the API, or if we decided to use it again. I think a cleaner solution from Zendesk that would allow us to turn off unauthenticated API submissions would be ideal. 

    2
  • Patrick
    Comment actions Permalink

    I am glad that I left my spam catch triggers in place, since the spammers tried again early this morning. They only created 4 tickets before they presumably realized that it wasn't working.

    So Zendesk, are you ever going to plug that big hole in your API security or are we just expected to deal with random scammers generating junk tickets whenever they feel like?

    That notice email you sent last week is ridiculous. How about you make it so that the API requires an authenticated connection for tickets to be created.

    2
  • Sheryl T
    Comment actions Permalink

    I got one more spam ticket this morning, and like Patrick, I left my trigger in place so it went to my "Spam" view and I then marked it as spam.  Yes, there is no reason that ZenDesk cannot filter out these messages before they get to all of us!

    1
  • Annie Mena
    Comment actions Permalink

    We started to receive spam tickets again today, there were 3 this morning and they continue to trickle in. Please provide a resolution, we have implemented all the previous workarounds.

    0
  • Sheryl T
    Comment actions Permalink

    We have 9 more spam tickets since I last wrote.  I am opening a ticket with ZenDesk now and suggest that you do the same if you are receiving spam.  They do not respond to our messages here, but they will reply to tickets.  Thanks everyone!

    0

Please sign in to leave a comment.

Powered by Zendesk