How can I combat spam submitted via web service?

Return to top
Have more questions? Submit a request


  • Dan Mørkbak Sørensen

    Brett - I hoped to go on vacation now.. instead i probably have to manually delete mails all weekend so my support-team does not show up on monday to 1000+ tickets - im not impressed - why is it even possible to add tickets via a "web service" without an API key. Should this not be locked down to only allow this from the help center - thus protected behind captcha? 

    I created a Ticket with "Major Impact" as level - have heard absolutely nothing back from your end. I tried opening a support-ticket via chat - no no avail - agent could not help either, just referenced the same 2 articles already seen.

  • Scott


    You're 100% correct on all fronts. Zendesk should fix this absurd vulnerability!


    In case it helps, I had the exact same problem months ago and was able to work around the issue using Zendesk's filters. I posted my how-to in the comments on this thread a while back. (link)

    (It's been months and this spammy ticket problem has gone away for me, so maybe my fix will help you get that vacation in.)


    See this comment:

  • Dan Mørkbak Sørensen

    Hi Scott, 


    i have indeed meanwhile created just such a trigger. I hope to get "instant" effect out of it, and hope not to see any "false positives" either, since we also dont use the webservice api at all.

  • Ben Appell

    It's crazy that there isn't a better solution to this. I'm at my wits end trying to fix this issue since basically all the suggestions except the blacklist screw up our Zendesk workflow. Unfortunately, I don't have the luxury of filtering out the tickets by web service API since we use it for security notices, and the other suggestions end up blocking our auto replies altogether, or end up hiding full comment threads and subjects from members. I could only block some (but not all) of the domains using the blacklist because they are using gmail addresses now too!

    If Zendesk added a solution where I could filter out by a requester name that wasn't a domain or existing agent, I could easily fix this problem. The spammers have gotten sophisticated enough where they are putting links in their abbreviated name in their email because then you can't filter out by subject or message body:

  • Adam

    Creating triggers is very limited on the Essentials plan; adding one such as has been described above isn't possible without upgrading to another plan.

    I find this absurd. Basically, pay more in order to remove spam caused by the service itself. What a joke!

    Zendesk really should allow greater trigger creation on all plans whilst this API weakness exists.

    We've recently started receiving spam via the web service vulnerability. Over 1000 tickets in three days.

    The only option I can see right now is to manually delete. I'm marking the tickets as spam when deleting and that seems pointless, also. It's making no difference.



  • Stephen T

    I've just been welcomed by the Russian spambot community this week, and surprise, surprise, it appears they're abusing the open API end point to submit tickets (we don't use APIs otherwise and it is disabled).

    Additionally, they're now stuffing their spam URL short links into the requester name field, so even taking out the ticket content placeholders in the notify requester trigger doesn't avoid the ultimate recipient seeing the bad URL.

    The ability to shut down the open API endpoint would help, but really we really need better spam detection, otherwise the API is potentially rendered rather useless.

    The ability to set up our own triggers to send tickets to spam would also be helpful: e.g. If requester name matches pattern (e.g. a regex), mark as spam. I could easily have handled this week's attacks myself with this ability, without spending hours deleting tickets, reading threads like this, and messing with settings that have otherwise worked well for years.

  • Ben Appell

    Stephen - that's the exact problem I was having. I contacted Zendesk directly about it and they put me in some filter list on their end to push out tickets with the URLs in the requester field, but until then, I was able to find patterns of russian words in the subject line and set up a ruleset like this to sort them out of the queue:

  • Jonathan March
    Community Moderator

    We did the same thing (FWIW we also put into a spam holding group.) And we set our triggers to not respond to these.

  • Stephen T

    Unfortunately, I'm not seeing any word based pattern I can match on right now - I'd need more flexibility in the trigger conditions (additional fields plus the ability to match on patterns/regexes) to make it work.

    For now, I've added a trigger to tag tickets that come in via Web Service and then exclude those from any subsequent notify requester triggers.

    That said, is it ever legit to include a URL in the requester name? If not, rolling out an update to mark such tickets as spam should be a fairly straightforward way to disincentivize this particular style of attack, I'd have thought.


Please sign in to leave a comment.

Powered by Zendesk