How can I stop a spam attack coming from my contact form?

Return to top


  • Rich Trott

    This article instructs the reader to enable CAPTCHA, but the doc it links to explains that CAPTCHA is enabled by default and can't be disabled.

  • Phoebe Morin
    Zendesk Customer Care

    Hi Rich, 

    Good catch! We have flagged that portion of the article for update. There were changes indeed with the product last year. It used to be the case that there was a separate setting just for Captcha. Now, it is enabled by default. One option for widget spam concerns would be the require authentication checkbox. (Captcha is no longer an option). 

    Thanks for bringing that to our attention. You're awesome! 

  • Julien Maneyrol

    Hi there,

    The article says that CAPTCHA is enabled by default, yet we've never seen it during our tests. Does this mean that it is not always offered?

    If so, is there a way to force it? We have had a major spam outbreak via one of our contact form, from Chinese hosts, a couple of weeks ago. We disabled the form in question, but it'd be nice if we could re-enable it in the future.

    This would also help us filter "trash" tickets.


  • Dave Dyson
    Hi Julien, 
    Users are only prompted with a CAPTCHA in certain circumstances – for more information, see CAPTCHA FAQs
    Hope that helps!
  • Daniel Fachin

    Yeah, we're seeing the same sort of spam. All from a single domain. The mind-blowing thing is that even adding the domain to the blocklist isn't working. Really concerned ZD isn't taking this more seriously. If they're only sending Captcha in certain circumstances this needs to be greatly improved to protect their customers. 

  • Natalia Lutsevich

    Yes, I totally agree. Recently there is a mass spam attack going on. It's been one month and we cannot do anything about it. When we Suspend access of the user, after a while he's still able to send us bunch of spam.

    Zendesk, are you going to do anything about it?

  • Julien Maneyrol

    Hi @...,

    Thanks for your reply.

    I understand, but this is not very satisfactory. From my point of view, we - as Zendesk customers - should have the possibility to enforce CAPTCHA to everyone if we need to.

    I wish this would be considered as a possible new feature in the future.

    Best regards

  • Ola Timpson

    This article doesn't seem to actually answer the question of how to stop a spam attack. It tells you how to see where the spam has come from and how to delete the spam, but nothing on stopping it.

  • Dane
    Zendesk Engineering
    Hi Ola,
    Based on the information above, if the default automatic CAPTCHA is not enough to prevent these spam attacks, the recommendation is to require end-users to sign in before they can submit a request.
  • Arno (EMEA Partner)

    Just to confirm, if you use just "" on blocklist, user can still create ticket with web widget form and help center form, but if you use "" or "", this also applies to any tickets created via Web Widget form or help center form?

    Atleast based on short testing, this would be true. If it is, it helps with fighting spam via web widget form, we see time to time.

  • Dainne Lucena
    Zendesk Customer Care

    Hi Arno (EMEA Partner),


    Yes, you are correct. Using the keyword "reject:" would block ticket submissions from all the channels. More information can be found here for reference.


    To completely block support requests from specific users, enter the keyword reject: in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.


Please sign in to leave a comment.

Powered by Zendesk