Zendesk is making a change to our account defaults to prevent spam activity. As a result, your account trigger notifications may be updated.

This update will protect new accounts from spammers. Spammers discovered a vulnerability which allowed them to use Zendesk’s default triggers to forward spam to any arbitrary email address. New accounts are now protected against this exploit. 

For accounts which have been using an old default message that has not been edited, we are making this timely change with customer protection in mind. Removing this vulnerability is the best protection we can offer. 

This article explains what we changed, how you can go back if you choose, and why we recommend against that.

What changed

First, if you have altered the title of the trigger, or the subject or body of the email, we will not make any changes to your account. We will not make any updates to your custom notifications. You may still be vulnerable to this attack in these cases, though we are taking other unrelated steps to protect against this as much as possible.

Here's a screenshot of the original message for Notify requester of received request:

And here's the updated version:

As you can see, we've removed two placeholders, one from the body of the email message, and another from the subject. The conditions have not been altered, nor have any other actions. The placeholders are the root of the exploit we're resolving. 

With these placeholders removed, the email which is sent to your customers when they initially submit their request will be a little different. Nothing will change about ongoing communication by email. 

Here's an example of the email we sent using the old default:

(Note that your version might vary slightly, as we’ve had a few different defaults in the past.)

And here is the message we will send in the same case, using the new default:

Additionally, we have added a completely new trigger to your account, but in an inactive state. We’ve added the trigger because the change we made causes a problem if, and only if, you use Zendesk Support to proactively send messages to your customers. In this case, it’s much more important that the comment in the ticket be sent in the outgoing email notification. 

If you look at our default notifications, you’ll see that we accomplish this with a new default trigger (which exists on new accounts created July 31st and later), “Notify requester of new proactive ticket.”

If you take this kind of action in your Zendesk, we recommend activating this new trigger. Here’s how to do that:

1. Open Zendesk Support.
2. Click the Admin icon in the sidebar, then select Business rules > Triggers. 
3. Click the Inactive tab
4. Look for the trigger titled Notify requester of new proactive ticket and open it.
5. In the upper right corner, find the three dots icon, and select Activate from the drop down.
6. Next, you’ll need to add a condition to your Notify requester of received request trigger to prevent double notifications.
7. From the Triggers menu, select the Active tab again.
8. Find the trigger named Notify requester of received request and open it.
9. Under the heading Meet ALL of the following conditions, click the Add condition button.
10. In the first drop down menu, select Current user.
11. In the second, select Is.
12. In the third menu, select (end-user).

With these changes made, agent-created tickets will function as expected, and you will still be protected from malicious use of your Zendesk account.

Why we made these changes

We have changed your account with the intent to protect you from attacks we have seen on hundreds of other accounts. The new configuration we've created will prevent you from being targeted, saving you from tens of thousands of spam messages being created in your account. 

Spammers have been targeting accounts with this trigger because it allows them to create a ticket in your account (through a variety of channels), falsifying the identity of the “requester”. When the ticket is created, your Zendesk sends an email to that requester, and forwards the message of their choosing. By removing the placeholder, we keep the content they created out of the notification, denying them the ability to forward spam.

How to change it back

If you feel that the presence of the original message is critical to your workflow, we have not eliminated this option. It is possible for you to return these placeholders to your triggers if you so choose. We strongly caution against this, as it will open you up to this kind of attack. 

To do so:

1. Open Zendesk Support.
2. Click the Admin icon in the sidebar, then select Business rules > Triggers. 
3. Look for the trigger titled Notify requester of received request.
4. You can make any changes you like to the message from here. 
1. To make the subject of the message you received from your customer, add the placeholder {{ticket.title}} in the Email subject field
2. To include the requester’s message to your Zendesk in the outgoing email acknowledgement, add the {{ticket.comments_formatted}} placeholder to the Email body field wherever you’d like it to appear.

We recommend against making this change as it will make it possible that your account will receive spam that it otherwise would not be vulnerable to. We are making every effort to filter and block spam, but these attacks have been very persistent. Removing the vulnerability in the first place is the best protection we can offer.