There were more than 1000 spam tickets submitted from different addresses through the web form. How do I make it stop?
Firstly, verify the tickets are actually coming from your contact form. To do that, you can check the events of the ticket.
To view ticket events
- Open a ticket and view the events. For steps on viewing events of a ticket, see the article: Viewing all events of a ticket.
- If a ticket is submitted through a channel other than the web form, such as Twitter or email, details about the channel appear. Therefore, you are looking for something like this:
CAPTCHA is enabled by default to mitigate spam attacks on your web form. You can require your end-users to register and verify their email to access the web form. For more information, see the article: Requiring that your users register to use Zendesk.
If your Zendesk account has been spammed and you suddenly need to bulk delete these spam tickets, instead of manually deleting them, there are different ways to do it and they are all outlined in this article: How can I bulk delete spam tickets in Zendesk?
This article instructs the reader to enable CAPTCHA, but the doc it links to explains that CAPTCHA is enabled by default and can't be disabled.
Good catch! We have flagged that portion of the article for update. There were changes indeed with the product last year. It used to be the case that there was a separate setting just for Captcha. Now, it is enabled by default. One option for widget spam concerns would be the require authentication checkbox. (Captcha is no longer an option).
Thanks for bringing that to our attention. You're awesome!
The article says that CAPTCHA is enabled by default, yet we've never seen it during our tests. Does this mean that it is not always offered?
If so, is there a way to force it? We have had a major spam outbreak via one of our contact form, from Chinese hosts, a couple of weeks ago. We disabled the form in question, but it'd be nice if we could re-enable it in the future.
This would also help us filter "trash" tickets.
Users are only prompted with a CAPTCHA in certain circumstances – for more information, see CAPTCHA FAQs
Hope that helps!
Yeah, we're seeing the same sort of spam. All from a single domain. The mind-blowing thing is that even adding the domain to the blocklist isn't working. Really concerned ZD isn't taking this more seriously. If they're only sending Captcha in certain circumstances this needs to be greatly improved to protect their customers.
Yes, I totally agree. Recently there is a mass spam attack going on. It's been one month and we cannot do anything about it. When we Suspend access of the user, after a while he's still able to send us bunch of spam.
Zendesk, are you going to do anything about it?
Thanks for your reply.
I understand, but this is not very satisfactory. From my point of view, we - as Zendesk customers - should have the possibility to enforce CAPTCHA to everyone if we need to.
I wish this would be considered as a possible new feature in the future.
This article doesn't seem to actually answer the question of how to stop a spam attack. It tells you how to see where the spam has come from and how to delete the spam, but nothing on stopping it.
Based on the information above, if the default automatic CAPTCHA is not enough to prevent these spam attacks, the recommendation is to require end-users to sign in before they can submit a request.
Just to confirm, if you use just "domain.com" on blocklist, user can still create ticket with web widget form and help center form, but if you use "suspended:domain.com" or "reject:domain.com", this also applies to any tickets created via Web Widget form or help center form?
Atleast based on short testing, this would be true. If it is, it helps with fighting spam via web widget form, we see time to time.
Hi Arno (EMEA Partner),
Yes, you are correct. Using the keyword "reject:" would block ticket submissions from all the channels. More information can be found here for reference.
Please sign in to leave a comment.