Background
If an uptick in spam is impacting your account, use this article for recommended actions you can take to discourage spammers who might try to target your account.
These tickets may have the web_widget tag, but in observed cases, the tag was actually added by the spammer. If you view the events of the spam ticket (see Viewing all events of a ticket) and look to the very bottom of the page, you’ll see that it was submitted via Web Service. This indicates it was created via API (see How are ticket channels defined across Zendesk?).
The primary goal of spammers is to use your triggers to pass spam content to other users via placeholders. To that end, we recommend removing placeholders from the default Notify requester of received request trigger. If you have customized triggers, you’ll also need to remove any of the placeholders that pass the comment or title content of the ticket to the end-user upon ticket creation.
Instructions
Step 1: Remove placeholders that spammers target
In this example, we're updating Notify requester of received request.
- Under Meet ALL of the following conditions, add the condition Current User > is > (end-user)
- Under Actions, refer to the Email subject and Email body fields. Remove these two placeholders
- {{ticket.title}}
- {{ticket.comments_formatted}}
Removing these placeholders renders your trigger useless to spammers, since it will no longer share their spam content with recipients. This will not immediately stop the flow of spam tickets, but will prevent spammers from reaching end-users, and you should eventually stop seeing spam come in.
Step 2: Create a new trigger for agent-created tickets
In step 1, we removed the placeholders that give your users context about tickets created on their behalf. If your agents create tickets on behalf of end-users (for example, sending out proactive emails), you'll need to create a new trigger that notifies users of the content of those tickets (but doesn't allow spammers to do the same).
In this example, we create a new trigger that we'll call Notify requester of new proactive ticket:
- Under Meet ALL of the following conditions, add the following conditions:
- Ticket > is > Created
- Privacy > is > Ticket has public comments
- Current user > is > (Agent)
2. Under Actions, select the following actions:
- Email user > (requester and CCs)
- Email Subject:
{{ticket.title}}
- Email Body:
This ticket was created on your behalf.
{{ticket.comments_formatted}}
To add additional comments, please reply to this email.
Temporarily blocking email domains using the blocklist
While the above recommendations will protect your account from further spam, it will not immediately stop ticket creation. If you want to block ticket creation regardless of channel, you can use the blocklist found under Admin >> Settings >> Customers, with the blocklist modifier suspend: or reject: prepended to the domain.
blacklist: reject:randomspammer@gmail.com suspend:qq.com
For complete instructions about control access, see Using the whitelist and blacklist to control access to Zendesk Support.
For more information on spam prevention on other channels, please see Spam prevention resources.
84 Comments
Zendesk, could you please clarify how it's possible for a malefactor to use the API without having possession of an API Token?
> If you view the events of the spam ticket (see Viewing all events of a ticket) and look to the very bottom of the page, you’ll see that it was submitted via Web Service. This indicates it was created via API
Hey Jonathan March
While it is through API, it is through the Requests Endpoint, which does allow anonymous requests (https://developer.zendesk.com/rest_api/docs/support/requests#create-request)
Presently, this is used for the submit a request form and Web widget (which both handles anonymous requests), but does not require them to be used.
Many thanks for the info Ryan, makes sense.
Zendesk, since we have the captcha safeguard for anonymous tickets submitted from a web form, it seems that it would be useful to support another setting to disable anonymous tickets submitted directly from the API. (I recognize that this would probably be non-trivial to implement!)
Can we have an update from Zendesk please? I find the lack of action when it comes to the security of the API and the damage this is causing to businesses reputation disgusting.
This weakness in the API has been abused for over 7 months, tonight I received 15 more tickets all spam orientated sent from the web api.
I'm seriously considering just moving to another supplier, the ZD support agent sent me a message saying that hes closing the ticket as the problem has gone away. I mean if I said that to my clients I wouldn't stay in business for long.
The temp (Community) solution leaves genuine customers who submit tickets unable to see the information they sent in the original request, this is not good enough!
Jonathan L - just exclude a few key words from the spam message from your Notify Requester of Received Request message, and that should do it. I haven't had any more spam since very early Monday morning.
Hi Guys,
is it know issue right? Why the Support seems not aware about that and reply to change trigger and we've clarified that the trigger doesn't fix the issue?
Please let me know
Hey Donato Dileo , Changing the ticket creation trigger so it cannot be used as an Open mail relay does indeed prevent your email and account from being used as a conduit for spam. The spammers who are affecting your account will no longer have any incentive to target you. You are correct -- It doesn't prevent the tickets from being created, but it helps to not make your account a target. This is the best solution to avoid spam.
Jonathan L I'll be glad to look into that ticket for you, and reach out to you again. To clarify, you are more than welcome to keep your placeholders within your ticket updates (so, on a reply, they would receive the entire thread again) -- Keeping the ability to relay spam, regardless of channel, leaves you vulnerable with this configuration. Changing it as the instructions state will help, and be a minimal change. Write into support and look at the Message you receive from us -- Feel free to use that as a template.
Jonathan March Thanks for that -- I've noted your feedback and am doing my best to relay it to that right people. Please know we're looking into a well rounded solution, but there unfortunately isn't a quick and easy answer. I will update this comment thread if I have any news -- otherwise feel free to write in and we should be able to provide some information.
Ok I clearly need some help here, our support desk is completely unusable, I made all the changes suggested last week, we have received over 2000 tickets, many in Russian that we cannot stop, our team is at breaking point and we have no idea what to do... many don’t get picked up as spam and the fields are all removed.
Can someone call me from Zendesk please, my ticket still awaits an update since late last week.
Hey Jonathan,
Thanks for the heads up! I'll reach out to our Advocacy team to see if we can get an update out to you on your ticket.
Appreciate you bringing this to our attention!
Hey Jonathan L -- I apologize for not reaching out on that ticket - Could you doublecheck to ensure you've edited the right triggers? This has shown very effective on other accounts which have done so.
A good way to check is to go into the Events page of the ticket itself to see which triggers have fired:
https://support.zendesk.com/hc/en-us/articles/203691176-Viewing-all-events-of-a-ticket#topic_wrp_3wn_scb
The Trigger would be the Notify Requester of Received Request trigger. If you have a newer account (one created within the last year), this should not apply to you (see what default triggers NOW look like HERE, circa ~1 year since time of this post).
I believe all plan levels are able to edit any existing trigger (though there is some restrictions around creating additional ones), so you should be able to do so.
Additionally, if any of the domains you see are not ones you would want or expect mail from, adding them to your blacklist with "suspend:" or "reject:" prepended to them will block or suspend for these API tickets (Note: without these modifiers, only the email channel will suspend tickets from them).
Lastly, if you could clarify the account of yours within your ticket that would be great. I am not able to match anywhere close to the numbers you're stating in your posts, and want to make sure we're getting the correct account sorted out. (Don't post it here! Just your ticket).
Hi Since this past weekend (1-11) we have been getting hit by a bot attack. I have followed the steps above and the attack is continuing.
I have added some of the domains to the blacklist but we continue to get tickets from those domains as well as new ones.
They have been coming in from our widget as well as web forms. I have had to turned off our widget because we've been unable to keep up on the spam.
Any help would be appreciated
Dave Dezellem - Open a ticket with ZenDesk so they can look at your account and respond to you directly. Meanwhile, you can create a view for the spam tickets so that you can then just mark them as spam and delete periodically. Use key words from your spam tickets to create the view. Hope this helps.
Hi Sheryl,
Thanks. I had created trigger to pull and solve the tickets, that worked until they changed the subject line...
Just updated that so short term fix is in place again. I'll reach out to ZD and open a ticket for a long term fix, seems to be an ongoing issue that we avoid until now.
Dave Dezellem - I would not mark tickets as Solved when they are spam! That will skew your statistics and probably also sends a message to the email account on the ticket which will forward the spam yet again. For your view, use words from the body of the message, not the subject line. There are several words in those emails that are consistent even when they change the message.
Hi Sheryl,
Thanks, I've updated the trigger. Knock on wood as of this morning we haven't had any attacks. Hopefully they have moved on.
Dave Dezellem:
Filtering out spam via content had mixed results for me b/c spammers change their wording up, but I found something that works:
Kill anything coming from Zendesk's API.
If you're not using Zendesk's API for creating tickets, I've found that you can just filter new tickets by their "Channel". I just set mine to stop anything tickets that come to us from via "Web Services (API)" and the spam ended shortly thereafter.
Here's how my filter conditions were set:
This still allows all of the other channels (e.g. email, website, chat, social media, & embedded web widget) to work. Since we're not using that Web Services API, it works great for us.
Hope that helps someone!
-Scott
PS: Make sure your filter is the FIRST TRIGGER in the list of triggers!
Dave Dezellem chiming in to confirm I took the same tactic and it stopped the spam within a day.
I set it to solved immediately and made sure all my our email notification triggers ignored it based on status/tag. Might mess up your stats temporarily but after that the spam should stop.
Obviously not great if you have integrations submitting tickets via that API endpoint, but if not it's perfect!
Patrick Townley
Similar to yesterday's comment by Sheryl T , I would recommend NOT setting to solved, but rather moving to a Spam Holding group. Then periodically select everything in that group and explicitly report it as spam. This will delete the tickets (avoiding skewing your stats) and report them to ZD as spam which at least in theory could have an impact on their spam filters at some point.
Happy to hear that, Dave Dezellem! Knocking on wood for you. :-)
I used a combination of Scott and Jonathan's tactics above to eliminate our issues without the need to permanently modify our end user 'notify requester' trigger. Our users are accustomed to seeing their request content in the ticket receipt, so I wanted to avoid adjusting that.
Instead, since we do not utilize the API, I have a top line trigger that places tickets submitted via the API into a group that only I monitor, and have set the 'notify requester' trigger to ignore anything in that group. No notifications will go out to any tickets submitted via the API, so presumably the spammers are no longer interested. This eliminated the spam right away.
That said, this solution is problematic for anybody using the API, or if we decided to use it again. I think a cleaner solution from Zendesk that would allow us to turn off unauthenticated API submissions would be ideal.
I am glad that I left my spam catch triggers in place, since the spammers tried again early this morning. They only created 4 tickets before they presumably realized that it wasn't working.
So Zendesk, are you ever going to plug that big hole in your API security or are we just expected to deal with random scammers generating junk tickets whenever they feel like?
That notice email you sent last week is ridiculous. How about you make it so that the API requires an authenticated connection for tickets to be created.
I got one more spam ticket this morning, and like Patrick, I left my trigger in place so it went to my "Spam" view and I then marked it as spam. Yes, there is no reason that ZenDesk cannot filter out these messages before they get to all of us!
We started to receive spam tickets again today, there were 3 this morning and they continue to trickle in. Please provide a resolution, we have implemented all the previous workarounds.
We have 9 more spam tickets since I last wrote. I am opening a ticket with ZenDesk now and suggest that you do the same if you are receiving spam. They do not respond to our messages here, but they will reply to tickets. Thanks everyone!
Please sign in to leave a comment.