How can I stop a spam attack coming from the Chat widget?

Question

My account received thousands of tickets coming from our Chat widget. How can I stop this spam attack?

Answer

Require authentification for request and uploads API

To to combat spam submitted through the API, which is the biggest cause of spam, follow these steps:

In Admin center, click People in the sidebar, then select Configuration > End users > Anybody can submit tickets > Enabled. Then, the option Require authentication for request and uploads APIs will display. Select this option and click Save tab.

Require authentication.png

For more information, see this article: Requiring authentication for the requests API endpoint.

If you are being spammed, check the IP address of each request and temporarily disable the offline Chat form.

Check if the spammer is using the same IP address for every request

If the spammer is using the same IP address for every request, you can ban it. Consider banning the country of origin if your company doesn't have real customers contacting you from there. For more information, see the article: Restricting the Chat widget by country or domain.

Important: Spammers often rotate their IP address so this may only be a temporary solution. You may need to add more IPs as they emerge as spammy.

Temporarily disable the offline chat form (or widget as a whole)

Disabling the offline form altogether or the widget as a whole is the most disruptive to your workflow. However, hiding or disabling your Chat widget for a short time, five to ten minutes, is usually enough to interrupt the attack.

To disable the offline Chat form, follow the instructions in this article: Managing offline form settings.

Under Settings, hide the Chat widget until it is configured to appear by a trigger or the API.

Select Settings > Widget.
Click the Settings tab.
In the Hide Widget section, make sure the Turn off Chat Widget checkbox is not selected.
If you've unchecked the box, click Save Changes.

Alternatively, if you have the widget embed in your Help Center, remove the entire integration under Knowledge admin > Settings > Integrations. Unselect the Chat option to make the entire integration disappear. For more information, see the article: Enabling Chat for your help center.

For information about cleaning up any spammy tickets that may have resulted, see the article: How can I bulk delete spam tickets in Zendesk?

Note: If the spam is coming from your Web Widget contact form, see the article: How can I stop a spam attack coming from my contact form?