How can I stop a spam attack coming from my contact form?

Return to top


  • Rich Trott

    This article instructs the reader to enable CAPTCHA, but the doc it links to explains that CAPTCHA is enabled by default and can't be disabled.

  • Phoebe Morin
    Zendesk Customer Care

    Hi Rich, 

    Good catch! We have flagged that portion of the article for update. There were changes indeed with the product last year. It used to be the case that there was a separate setting just for Captcha. Now, it is enabled by default. One option for widget spam concerns would be the require authentication checkbox. (Captcha is no longer an option). 

    Thanks for bringing that to our attention. You're awesome! 

  • Julien Maneyrol

    Hi there,

    The article says that CAPTCHA is enabled by default, yet we've never seen it during our tests. Does this mean that it is not always offered?

    If so, is there a way to force it? We have had a major spam outbreak via one of our contact form, from Chinese hosts, a couple of weeks ago. We disabled the form in question, but it'd be nice if we could re-enable it in the future.

    This would also help us filter "trash" tickets.


  • Dave Dyson
    Hi Julien, 
    Users are only prompted with a CAPTCHA in certain circumstances – for more information, see CAPTCHA FAQs
    Hope that helps!
  • Daniel

    Yeah, we're seeing the same sort of spam. All from a single domain. The mind-blowing thing is that even adding the domain to the blocklist isn't working. Really concerned ZD isn't taking this more seriously. If they're only sending Captcha in certain circumstances this needs to be greatly improved to protect their customers. 

  • Natalia Lutsevich

    Yes, I totally agree. Recently there is a mass spam attack going on. It's been one month and we cannot do anything about it. When we Suspend access of the user, after a while he's still able to send us bunch of spam.

    Zendesk, are you going to do anything about it?

  • Julien Maneyrol

    Hi @...,

    Thanks for your reply.

    I understand, but this is not very satisfactory. From my point of view, we - as Zendesk customers - should have the possibility to enforce CAPTCHA to everyone if we need to.

    I wish this would be considered as a possible new feature in the future.

    Best regards

  • Ola Timpson

    This article doesn't seem to actually answer the question of how to stop a spam attack. It tells you how to see where the spam has come from and how to delete the spam, but nothing on stopping it.

  • Dane
    Zendesk Engineering
    Hi Ola,
    Based on the information above, if the default automatic CAPTCHA is not enough to prevent these spam attacks, the recommendation is to require end-users to sign in before they can submit a request.
  • Arno (EMEA Partner)

    Just to confirm, if you use just "" on blocklist, user can still create ticket with web widget form and help center form, but if you use "" or "", this also applies to any tickets created via Web Widget form or help center form?

    Atleast based on short testing, this would be true. If it is, it helps with fighting spam via web widget form, we see time to time.

  • Dainne Lucena
    Zendesk Customer Care

    Hi Arno (EMEA Partner),


    Yes, you are correct. Using the keyword "reject:" would block ticket submissions from all the channels. More information can be found here for reference.


    To completely block support requests from specific users, enter the keyword reject: in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.

  • Heather Darring

    I am not making my 200k+ members create an account when they just want a simple question answered. The vast majority put in tickets via email. CAPTCHA needs to be on the web form every single time to stop these spammers. The bot rules you are using are clearly not effective at all. 

  • Alison Hussey

    Suggestion to add information about how to actually add domains to the blocklist using suspend: or reject: to the description on the blocklist field.

    CAPTCHA is clearly not enabled by default on the web form. We are getting spam emails every few minutes and it's insane it took me this long just to find out how to use the blocklist, from a comment way down the page.

    What does the blocklist even do if you follow the directions on the field "Ticket creation is suppressed if the submitter's email address or domain is listed in this field. Separate multiple values with a space (for example, Put an asterisk (*) to blocklist everything except the domains added to the allowlist."

    Following these directions did not block the domain I added to the blocklist.

  • Ronald

    it's insane it took me this long just to find out how to use the blocklist, from a comment way down the page.

    We've been having a spam issue via webform and this was exactly what I needed. I wonder how long this functionality has existed. The support docs and End users page in the admin interface should definitely be updated to include notes about these keywords.

    Edit: Ok, so now I see. The "Read more" link under the blocklist points to an article which explains the keywords:

    But it's still odd that this crucial detail is buried. As far as I can tell the blocklist doesn't do anything without the keywords present.🤔

  • Michelle Gottardi

    We are getting an extremely high volume of spam tickets to the point it is overwhelming for our support team. What does Zendesk provide (other than having customer create a Zendesk end user account - which we are not going to have our gazillion customers do) to prevent spam from coming into through the web form. We can not use blocklist and domains vary from our customers.


    Please advise as I am trying to get this spam situation under control as soon as possible.


    Thank you for your assistance.

  • Mariam Khan

    Same! Our team has also recently undergone a high volume of spam tickets and the suggestions in this article thus far have proved quite unsatisfactory. We are not in a position to allow all of our end-users to sign into our Knowledge Base to access helpful content.

    We need an alternative that supports both workflows as opposed to being forced to use an option to address a limitation in Zendesk's platform. 

  • Pekka Pyrhönen

    Hi, same problem here as well. A lot of spam coming to our support from the contact form in support site. Forcing captcha to be displayed always would solve this probably but there's no way to enable it. 

  • Heather Lukes

    Anyone have a solution to this?  We are getting bombarded by Chinese spam.  We have an action that closes them automatically but that doesn't help with stats.

  • Mark Szymanski

    Same here, spam with Chinese characters, especially from, and via the web form.  We disabled Chat long ago, and recently disabled the Help Center too as it was not being used.  How can we disable the web form channel completely for end users?
    Btw, we don't want to require customer registration either.  We just have email and phone for end users.

    I have been able to use reject and suspend successfully in the blocklist.  But we also want the web form entirely disabled, except for agents of course, to completely plug the hole.

  • Mariam Khan

    Hey Mark Szymanski - our company was experiencing the exact same issue with our web forms receiving an influx of requests from the same domain.

    Zendesk's only response while unhelpful for our workflow was to enforce users to register for an account in their ticketing system before allowing them the ability to submit a request.

    What worked for us (but may not work for others) was adding this domain to our blocklist using


    After we did this, I am happy to say no more SPAM emails have come through at all. Please note you can use instead if you would still like these to come through your Spam folder. The reject keyword just prevents them entirely from coming through your Zendesk queues.

    It's also important to note that the spammers can use other domains to initiate these requests, but I am happy to say that hasn't been the case for us. 

    Another alternative provided by Zendesk's Support team was to remove variable placeholders from both our triggers' subject lines as well as body templates. Again this wasn't a solution for us since we use these placeholders to notify end-users and notify internal workflows but just listing all available options.

    If you decide to go with the blocklist out, this article will help:

  • Mark Szymanski

    Thanks Mariam.  Yes, as mentioned I too have been successful with the blocklist, specifically both using and  What concerns me more at this point is why anything from the outside comes in via the web form at all.  Our agents are the only ones who should have access to that.  We have both Chat and Help Center disabled.

  • Mark Szymanski

    If anyone else needs to know this, I found how to deactivate HC for end users here -

    Evidently what I had done before was just disable access to it via the web widget.  The URL's were still available on the internet, and spammers knew them.

    I also set my blocklist for back to reject instead of suspend.  That was just a test to verify the source.


Please sign in to leave a comment.

Powered by Zendesk