Protecting your company from spam and abuse is inevitably a task all companies are confronted with. While there is no silver bullet to stop all spam, there are some commonly used options that can help.
To ensure your account is as spam-free as possible, applying active protections to forms, emails and API calls that send to your account should be maintained. This article describes some great methods for protecting your account.
This article contains the following sections:
- Using CAPTCHA on forms
- Protecting your domain from email abuse, via SPF, DKIM and DMARC records
- Zendesk Support-specific features
- Further Reading
Using CAPTCHA on forms
Using a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is touted as one of the best ways to prevent incoming spam on any sort of public facing submission to your system. This presents a challenge to anyone submitting a ticket before they are able to successfully submit. In many cases, this will outright stop any attempts to abuse your system.
Support uses Cloudflare's bot detection and management software. CAPTCHA is enabled by default, including on the Sign Up page, and can't be disabled. Only traffic that Cloudflare flags as suspicious will be served CAPTCHA challenges.
Protecting your domain from email abuse via SPF, DKIM, and DMARC records
Most commonly, abusive email messages come from a forged or fake address which can be accomplished easily in many programs and scripts. Using SPF, DKIM, and DMARC in tandem will help build your domain’s reputation, and avoid having your mail end up in your customer’s spam folder. We make it easy to use on your account, as we support all three records. Here's a quick recap of all records:
An SPF record is a policy which is set up within your DNS record that allows the email receiver's email client to validate if the server is allowed to send messages on its behalf. In layman's terms, SPF acts like an allowlist for email servers, dictating what can and cannot send on your domains behalf. This can cut down significantly on forged emails. You can read more about setting up records for Zendesk in our article, Setting up SPF for Zendesk to send email on behalf of your email domain.
DKIM records are a protocol which validates a message’s cryptographic signature against a public key placed in the DNS record of sender’s domain. This helps ensure that there was no deviation within the path of the email, and shows if a message has been altered in anyway prior to the receiver getting the message. Due to this, servers tend to find any domain or email more reputable, and less likely to end up in a spam folder (or outright rejected). You can setup the DKIM records needed for Zendesk by following the article, Digitally signing your emails with DKIM or DMARC.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy which attempt to tie SPF and DKIM together, by telling servers how to handle an email if SPF and/or DKIM records aren't present within an email. It can also send email reports on failures, to help you gain insight into how your domain is being used and handling email. For more information on DMARC and how to set one up, see the overview on Dmarc.org.
Zendesk Support-specific features
While the previously-mentioned actions will help your domain in general, Zendesk Support offers a few additional tools at your disposal.
Sender Authentication (Inbound DMARC protection)
Sender Authentication is a relatively new feature which helps you control spoofed and illegitimate emails from reaching your account. This feature looks to authenticate the senders DMARC, and sends to your suspended queue if it fails. You can find this feature on the Email admin page, at Admin > Channels > Email. For more information on the feature itself, see our support article, Authenticating incoming email using DMARC for further information.
Blocking emails and domains
If you're past the point of proactively protecting your account and spam has been coming through email, you can outright block incoming emails from specific addresses or entire domains. This can be an efficient way to stop spam in its tracks. See our article, Using the allowlist and blocklist to control access to Zendesk Support.
As spammers continue to get more creative and sophisticated with their methods, it is important to take advantage of all possible spam fighting tools at your disposal, as no one solution will be completely effective. With the combination of the methods listed here implemented for your business, spammers will be less likely to target your business.
If you're looking for more documentation to combat spam, check out the following:
We need to filter out incoming support tickets from legitimate email addresses that contain identified suspicious links. I tried using a customer Trigger on new tickets that contain the link in the Comment Text, but this isn't catching them.
Can you advise how to set a Trigger that targets tickets that contain specific URLs embedded in the content?
Is it possible to use a regex to block certain e-mails from a domain? We're getting a lot of spam from @qq.com. We don't want to block all e-mails from qq.com but only those following a certain pattern. The pattern would be if there are only digits preceding the domain.
Were you able to deal with the qq.com spam issue? We are struggling with the same issue since April - we've enabled sign-in requirement before submitting a ticket but we're still getting spam from random firstname.lastname@example.org.
Please sign in to leave a comment.