How can I combat spam submitted via web service?

Return to top
Have more questions? Submit a request


  • Celia Johnson

    If I add the current user is end user, will that mean that people who submit tickets from the widget that aren't signed in, won't get a message that they opened a ticket?

    Also, why is Zendesk not alerting anyone proactively to the need for these changes?

  • Ryan
    Zendesk Team Member

    Hi Celia Johnson,

    Thanks for your reply.

    Adding the current user is end user refers to the person making the last comment -- Essentially you're narrowing the trigger for only end users, to prevent both the notify requester of received request (the altered trigger) and the notify requester of proactive request (which provides the first comment from agents) at the same time. This will remain the same regardless of channel.

    "why is Zendesk not alerting anyone proactively to the need for these changes?"

    We actually made the announcement of default trigger changes three months back, which should have show under your admin settings within news. To make sure you don't miss these, I highly recommend subscribing to the Product announcement section:

    -- As for proactively emailing --

    We've been sending small cohorts to affected users via email, though we have not widespread sent an alert out (beyond the announcement above). We're looking into more effective methods of sending out these messages and hope to have a widespread solution coming shortly.

    Apologies for the inconvenience overall -- If you have any additional questions, please don't hesitate to reach out to support, and we'd be glad to assist. 

  • Yu Ng

    has this been fixed yet? we just got hit with a ton of spam API tickets, asking us to remove the placeholders is not a good solution, it's been months since you guys posted this! still not fixed?! that's unacceptable!!

  • Bethany Gray

    We have been receiving a bunch of spam API tickets, beginning earlier this afternoon. 

  • Walter

    We also started getting hit earlier today.  How can we be certain which trigger is being triggered? Why can't Zendesk detect these attacks on their own website?

  • Seamus Tredinnick

    Currently being affected by this issue. Zendesk Support has been in touch and confirmed that this is an API Request endpoint issue under investigation.

  • Nicole Saunders
    Zendesk Community Team

    Hi all -

    Thank you for your comments. This issue is currently being worked on, and we will provide updates here as we have them available. I've added your cases to our internal problem ticket on the issue.

  • Nicole Saunders
    Zendesk Community Team

    update: we are putting some temporary blocks in place to combat the spam; you should begin to see the issue subside shortly. 

  • Peng Li

    Hi, we are also under this attack. I've made all the suggested changes to our trigger. Nicole Saunders could you also help investigate and stop the influx of tickets via the API endpoint?

  • Walter

    We are still under attack. We've received 4 spam messages this morning.

  • Jim Stalder

    We started to receive a number of spam messages, too - starting 01/03/20.   We are getting these entered via the Zendesk anonymous post method of ticket creation:

    Anonymous request

    curl https://{subdomain} \
    -d '{"request": {"requester": {"name": "Anonymous customer"}, "subject": "Help!", "comment": {"body": "My printer is on fire!" }}}' \
    -X POST -H "Content-Type: application/json"


    At my organization, all of our tickets are created from email, the Zendesk web form, or via a follow up ticket.   Since we don't create any new tickets via any API, I'm able to create a trigger that looks for any created tickets via this method, tag them as such, solve them and bypass any further action.   They still get created, but they immediately get buried and don't cause issues.   I add a tag called "zendesk_spam" so I can keep an eye on them....


  • Jim Stalder

    Specifically, I do this (with some additional variations) and make this my first trigger.    This way, I don't have to remove all the placeholders as Zendesk suggests above.   Of course, this only works because we don't use the API method to create tickets....

  • Martin Cox

    This is not an authoritative answer but merely a question regarding Jim's tactic -- Could you just set a single Channel condition of "Is Web service (API)" instead of "Is not Email" and "Is not Web form"? And are you just closing the ticket if meeting those conditions?

  • Jim Stalder

    I chose the negative check in case other unexpected spam starts arriving via other channels we don’t use. I’m solving them now ( and not closing ) simply to check the triggers and attributes I’m assigning to make sure all is working as intended.

  • Sara Gardinier

    This is still affecting us as well. I made the changes described above and that seemed to help for a few hours last night, but the spammers are back in full force today. We've received dozens of messages over the last 24 hours. 

  • Martin Cox

    Fortunately we have a fairly consistent customer base with many users across few domains which allowed us to take the first crack at stopping this by making the change to "Ask users to register" along with whitelisting our customer base. This has the net effect of automatically putting the spam into the Suspend queue where I can periodically delete it and none of our techs see it (we also push ticket updates to Slack and the spam was clogging that view as well). While at the same time not inhibiting our customer base to force start registering in order to submit issues. So far this is working well.

    To that end, I may give Jim's technique a try as well since my method has a few undesirable corners.

  • Patrick Townley

    Rather than these workarounds, how about an actual fix?


    Please add an option to disable unauthenticated/anonymous API ticket submissions only, without affecting other channels.

  • Chris Johnson

    Please also keep me alerted to the status of this fix, we are also getting hit hard today.

  • Jim Beaulieu

    Same situation for us. Lots of unwanted tickets coming in.

  • TonyLarson

    We have received roughly 50 of these messages in the last 12 hours. I would prefer a system wide solution rather than workarounds that will eventually reduce spam. 

    This wasn't an issue for us until last night. 


  • Rasmus Luckow-Nielsen

    We have been hit heavily within the last 24 hours with spam-tickets submitted via the API. They are very similar, and the going rate is around 10 per hour. Very annoying.

  • Patrick

    My company is also experiencing an ongoing attack.

    Apparently, Jim and I had a similar idea. Currently, as temporary fix, I have set up a similar trigger that looks like this;
    We have customized all of our auto-reply notifications so that they will not fire if the ticket has the "notified" tag. This trigger is in the first position and is set to apply the "notified" tag to any tickets that match the above conditions, as well as assign the ticket to my agent account.

    15 new spam tickets have come in since I set this up, and all of them have been assigned to my user agent account and prevented from sending out a notification.

    Thankfully, I mostly do internal tech stuff, so my zendesk getting filled with spam isn't an issue. After the attack we can comb through them and see if any legitimate messages got caught up in it.
    For now, I feel like adjusting your auto-reply tickets to follow a similar system is a better work around than this nonsense.

    Hopefully this will teach zendesk that they need to fix this exploit.

  • Jonathan L

    3 months later the issue is still not fixed, this is not good enough! My support desk has been hammered all day!

    Instead of messing around releasing new half baked products how about you keep the core support desk solution secure!

    Remember many of your customers have been with you for many years, it appears currently the ZD management team has lost sight of the vision and mission!

    2 important products 1)Support 2)Guide

    Everything else is obviously a distraction!

  • Annie Mena

    We have implemented all the suggestions but are still being hit with a high volume of tickets, please provide a solution asap

  • Service

    We are too have been impacted by a high volume of spam tickets via the API. Surely Zendesk should have the knowledge and tools to stop these calls to their own API. 

  • Matt Nade (MOVUS)

    Another account experiencing this issue.  Have Implemented suggested fixes. Crossing Fingers.

  • Sheryl T

    We are impacted also and nothing suggested works.  7+ months to fix an issue is unacceptable!  This has been my experience with ZenDesk for years.  The support is awful, and the problems are many.  So ridiculous for a company that supports tech support people!

  • Sarah Voit

    We are also affected by the issue since yesterday (Jan 4). Spam coming in via API. I removed placeholders from the default Notify requester of received request trigger, no other triggers with placeholders in place. This didn't help. 

    We were hit by a similar spam attack also some months ago and removing the placeholders didn't help either back then. Zendesk support was informed back then and also now. Very disappointing that there isn't a solution yet. 

  • Jason Wallis

    Since it sounds like they're all Instagram related- I was thinking of setting up a trigger that just finds the word Instagram mentioned in the ticket and stops any response and then marks it as spam....  any downside to doing that?  We sure as heck don't have any legit customers mentioning Instagram.

    Anyone really good at writing triggers that can suggest the best practice way to do it if it seems like a decent idea?

    edit -  so a small number of customers do mention their instagram address in their email signatures (narcissists lol) so maybe the trigger should look for "instagram" and "audit" since they all seem to mention that... 


  • Jason Wallis

    All mine seem to have b​i​t​​​​​b​​​​​​​i​​​​​z​​​​​.​​​​​​​x​​​​y​​​​​z included in the text... so I can do something like this

    can someone help me figure out what action to take after that?  Is there a way to mark it spam in the trigger?

    Edit:  I found this idea

    seems good-  send em to a dark hole and never reply... just need someone to help make sure we set this up correctly and share here so everyone can copy it.


Please sign in to leave a comment.

Powered by Zendesk