Question
How can I combat spam submitted via web service?
Answer
The primary goal of spammers is to use your triggers to pass spam content to other users through placeholders. Zendesk automatically suppresses certain placeholders when certain criteria are met. For more information, see the article: Understanding placeholder suppression rules.
However, if you have customized triggers, you may still have placeholders that pass content of the ticket to the end user upon ticket creation, for example, {{ticket.title}}.
Instructions
Step 1: Remove placeholders that spammers target
Update your account's version of the Notify requester and CCs of received request trigger.
- If the trigger in your account that notifies requesters and CCs of received request doesn't have it yet, add the condition Current user | Is | (end user)
- Under Actions, refer to the Email subject and Email body fields. Remove any reference to the placeholder {{ticket.title}} or any other placeholder that renders content.
Removing this placeholder renders your trigger useless to spammers since it will no longer share their spam content with recipients. This step doesn't immediately stop the flow of spam tickets but prevents spammers from reaching your customers, and you should eventually stop seeing spam come in.
Step 2: Make sure you have a trigger for agent-created tickets
If your agents create tickets on behalf of end users, for example, sending out proactive emails, you need a trigger that notifies users of the content of those tickets but doesn't allow spammers to do the same.
Newly created Support accounts already have the default Notify requester of new proactive ticket trigger enabled in their accounts. However, older accounts may need to create one from scratch.
Temporarily blocking email domains using the blocklist
While the above recommendations will protect your account from further spam, it will not immediately stop ticket creation. If you want to block ticket creation regardless of channel, use the blocklist feature with the blocklist modifier suspend: or reject: prepended to the domain.
blacklist: reject:randomspammer@gmail.com suspend:qq.com
For more information on spam prevention on other channels, see the article: Spam prevention resources.
99 Comments
Zendesk, could you please clarify how it's possible for a malefactor to use the API without having possession of an API Token?
> If you view the events of the spam ticket (see Viewing all events of a ticket) and look to the very bottom of the page, you’ll see that it was submitted via Web Service. This indicates it was created via API
Hey Jonathan March
While it is through API, it is through the Requests Endpoint, which does allow anonymous requests (https://developer.zendesk.com/rest_api/docs/support/requests#create-request)
Presently, this is used for the submit a request form and Web widget (which both handles anonymous requests), but does not require them to be used.
Many thanks for the info Ryan, makes sense.
Zendesk, since we have the captcha safeguard for anonymous tickets submitted from a web form, it seems that it would be useful to support another setting to disable anonymous tickets submitted directly from the API. (I recognize that this would probably be non-trivial to implement!)
Can we have an update from Zendesk please? I find the lack of action when it comes to the security of the API and the damage this is causing to businesses reputation disgusting.
This weakness in the API has been abused for over 7 months, tonight I received 15 more tickets all spam orientated sent from the web api.
I'm seriously considering just moving to another supplier, the ZD support agent sent me a message saying that hes closing the ticket as the problem has gone away. I mean if I said that to my clients I wouldn't stay in business for long.
The temp (Community) solution leaves genuine customers who submit tickets unable to see the information they sent in the original request, this is not good enough!
Jonathan L - just exclude a few key words from the spam message from your Notify Requester of Received Request message, and that should do it. I haven't had any more spam since very early Monday morning.
Hi Guys,
is it know issue right? Why the Support seems not aware about that and reply to change trigger and we've clarified that the trigger doesn't fix the issue?
Please let me know
Hey Donato Dileo , Changing the ticket creation trigger so it cannot be used as an Open mail relay does indeed prevent your email and account from being used as a conduit for spam. The spammers who are affecting your account will no longer have any incentive to target you. You are correct -- It doesn't prevent the tickets from being created, but it helps to not make your account a target. This is the best solution to avoid spam.
Jonathan L I'll be glad to look into that ticket for you, and reach out to you again. To clarify, you are more than welcome to keep your placeholders within your ticket updates (so, on a reply, they would receive the entire thread again) -- Keeping the ability to relay spam, regardless of channel, leaves you vulnerable with this configuration. Changing it as the instructions state will help, and be a minimal change. Write into support and look at the Message you receive from us -- Feel free to use that as a template.
Jonathan March Thanks for that -- I've noted your feedback and am doing my best to relay it to that right people. Please know we're looking into a well rounded solution, but there unfortunately isn't a quick and easy answer. I will update this comment thread if I have any news -- otherwise feel free to write in and we should be able to provide some information.
Ok I clearly need some help here, our support desk is completely unusable, I made all the changes suggested last week, we have received over 2000 tickets, many in Russian that we cannot stop, our team is at breaking point and we have no idea what to do... many don’t get picked up as spam and the fields are all removed.
Can someone call me from Zendesk please, my ticket still awaits an update since late last week.
Hey Jonathan,
Thanks for the heads up! I'll reach out to our Advocacy team to see if we can get an update out to you on your ticket.
Appreciate you bringing this to our attention!
Hey Jonathan L -- I apologize for not reaching out on that ticket - Could you doublecheck to ensure you've edited the right triggers? This has shown very effective on other accounts which have done so.
A good way to check is to go into the Events page of the ticket itself to see which triggers have fired:
https://support.zendesk.com/hc/en-us/articles/203691176-Viewing-all-events-of-a-ticket#topic_wrp_3wn_scb
The Trigger would be the Notify Requester of Received Request trigger. If you have a newer account (one created within the last year), this should not apply to you (see what default triggers NOW look like HERE, circa ~1 year since time of this post).
I believe all plan levels are able to edit any existing trigger (though there is some restrictions around creating additional ones), so you should be able to do so.
Additionally, if any of the domains you see are not ones you would want or expect mail from, adding them to your blacklist with "suspend:" or "reject:" prepended to them will block or suspend for these API tickets (Note: without these modifiers, only the email channel will suspend tickets from them).
Lastly, if you could clarify the account of yours within your ticket that would be great. I am not able to match anywhere close to the numbers you're stating in your posts, and want to make sure we're getting the correct account sorted out. (Don't post it here! Just your ticket).
Hi Since this past weekend (1-11) we have been getting hit by a bot attack. I have followed the steps above and the attack is continuing.
I have added some of the domains to the blacklist but we continue to get tickets from those domains as well as new ones.
They have been coming in from our widget as well as web forms. I have had to turned off our widget because we've been unable to keep up on the spam.
Any help would be appreciated
Dave Dezellem - Open a ticket with ZenDesk so they can look at your account and respond to you directly. Meanwhile, you can create a view for the spam tickets so that you can then just mark them as spam and delete periodically. Use key words from your spam tickets to create the view. Hope this helps.
Hi Sheryl,
Thanks. I had created trigger to pull and solve the tickets, that worked until they changed the subject line...
Just updated that so short term fix is in place again. I'll reach out to ZD and open a ticket for a long term fix, seems to be an ongoing issue that we avoid until now.
Dave Dezellem - I would not mark tickets as Solved when they are spam! That will skew your statistics and probably also sends a message to the email account on the ticket which will forward the spam yet again. For your view, use words from the body of the message, not the subject line. There are several words in those emails that are consistent even when they change the message.
Hi Sheryl,
Thanks, I've updated the trigger. Knock on wood as of this morning we haven't had any attacks. Hopefully they have moved on.
Yakima Products, Inc.:
Filtering out spam via content had mixed results for me b/c spammers change their wording up, but I found something that works:
Kill anything coming from Zendesk's API.
If you're not using Zendesk's API for creating tickets, I've found that you can just filter new tickets by their "Channel". I just set mine to stop anything tickets that come to us from via "Web Services (API)" and the spam ended shortly thereafter.
Here's how my filter conditions were set:
This still allows all of the other channels (e.g. email, website, chat, social media, & embedded web widget) to work. Since we're not using that Web Services API, it works great for us.
Hope that helps someone!
-Scott
PS: Make sure your filter is the FIRST TRIGGER in the list of triggers!
Yakima Products, Inc. chiming in to confirm I took the same tactic and it stopped the spam within a day.
I set it to solved immediately and made sure all my our email notification triggers ignored it based on status/tag. Might mess up your stats temporarily but after that the spam should stop.
Obviously not great if you have integrations submitting tickets via that API endpoint, but if not it's perfect!
Patrick Townley
Similar to yesterday's comment by Sheryl T , I would recommend NOT setting to solved, but rather moving to a Spam Holding group. Then periodically select everything in that group and explicitly report it as spam. This will delete the tickets (avoiding skewing your stats) and report them to ZD as spam which at least in theory could have an impact on their spam filters at some point.
Happy to hear that, Dave Dezellem! Knocking on wood for you. :-)
I used a combination of Scott and Jonathan's tactics above to eliminate our issues without the need to permanently modify our end user 'notify requester' trigger. Our users are accustomed to seeing their request content in the ticket receipt, so I wanted to avoid adjusting that.
Instead, since we do not utilize the API, I have a top line trigger that places tickets submitted via the API into a group that only I monitor, and have set the 'notify requester' trigger to ignore anything in that group. No notifications will go out to any tickets submitted via the API, so presumably the spammers are no longer interested. This eliminated the spam right away.
That said, this solution is problematic for anybody using the API, or if we decided to use it again. I think a cleaner solution from Zendesk that would allow us to turn off unauthenticated API submissions would be ideal.
I am glad that I left my spam catch triggers in place, since the spammers tried again early this morning. They only created 4 tickets before they presumably realized that it wasn't working.
So Zendesk, are you ever going to plug that big hole in your API security or are we just expected to deal with random scammers generating junk tickets whenever they feel like?
That notice email you sent last week is ridiculous. How about you make it so that the API requires an authenticated connection for tickets to be created.
I got one more spam ticket this morning, and like Patrick, I left my trigger in place so it went to my "Spam" view and I then marked it as spam. Yes, there is no reason that ZenDesk cannot filter out these messages before they get to all of us!
We started to receive spam tickets again today, there were 3 this morning and they continue to trickle in. Please provide a resolution, we have implemented all the previous workarounds.
We have 9 more spam tickets since I last wrote. I am opening a ticket with ZenDesk now and suggest that you do the same if you are receiving spam. They do not respond to our messages here, but they will reply to tickets. Thanks everyone!
Having an open API with no security is a serious backdoor Zendesk is leaving open. I want clients to submit tickets from the Help Center Zendesk provides but I am flooded with spam instead. This API should be closed to anyone outside the Help Center.
Hello Uri Argaman,
I wanted to check if you are using a Help Center that does not require a login? If not, enabling this would potentially resolve your issue and likely reduce the number of spam tickets you're currently receiving. If, for some reason, this doesn't fit the needs of your users or help center, I would recommend posting in our product feedback forums and sharing your use case with our developers. I've also shared an article about ticket events, which explains how these tickets are being created, which might shed some light on where the root cause of the spam is originating from.
Viewing all events of a ticket
Best regards.
Thanks Devan - Community Manager. I turned on the login and the spam stopped but I had to turn it back on as I need my clients to submit tickets without logging in.
This is a security vulnerability that Zendesk is not addressing. Allowing an open API to do anything other than Read does not match the security standards of our time.
Hello Uri Argaman,
On the security side, this is something that our developers are always looking into and gathering feedback on from users. I understand that not enabling SSO can be less cumbersome for your users and opens the possibility for unwanted submissions.
A reactive solution would be to implement your blocklist so that bad actors have less access to your instance in the future.
Using the allowlist and blocklist to control access to Zendesk Support
Best regards.
This is beyond annoying - i have just spend an hour deleting spam tickets.
And to make things even worse i noticed that Zendesk no longer provide support via chat, instead i am stuck with a completely useless bot.
Why cant i prevent spammers from sending tickets via "web service" workarounds to ensure endusers dont get mails is nice i guess, but what about avoiding the damned thing...............
Why do I have to spend hours deleting tickets that should never have been in there in the first case!
Hey Dan,
I see you have a ticket open with our Customer Care team regarding this issue. They'll be able to look into this further so hang tight!
Appreciate you bringing this to our attention!
Please sign in to leave a comment.