To keep customers safe from bad bots when accessing your help center content, Zendesk uses CAPTCHA. A CAPTCHA form renders whenever a bot is detected.
CAPTCHA is a Cloudflare rule that uses the Cloudflare Bot management features. The rule prompts requesters for a CAPTCHA if the request matches certain criteria, such as:
-
Having a BotScore that is lower than the threshold
- Excluding verified bots (such as search crawlers)
-
A /hc path exists
-
For your login: https://yoursubdomain.zendesk.com/auth/v2/login/
-
For your sign up: https://yoursubdomain.zendesk.com/auth/v2/login/registration
-
For ticket submissions: https://yoursubdomain.zendesk.com/hc/en-us/requests/new
-
This article covers the following frequently asked questions and scenarios:
- Why do I only see CAPTCHA sometimes?
- Why am I facing an error when rendering a CAPTCHA?
- I want to run an automation application or a good bot and not get blocked
- What does Cloudflare bot management track?
- I have a host mapped account, what should I know?
- What is Cloudflare bot management?
- Something has gone wrong, what do I do?
Why do I only see CAPTCHA sometimes?
Cloudflare’s Bot Management tool analyzes all Zendesk traffic and scores it based on how likely it is to come from a human or a bot. CAPTCHAs appear when traffic is scored within a certain threshold, as it is mostly meant for bots. A bot score of <5 emphasizes just how strict we are on bots in particular.
It is extremely rare that traffic from an actual human is misclassified as bot traffic by Cloudflare.
Why am I facing an error when rendering a CAPTCHA?
Ad blockers can turn off CAPTCHAs in certain browsers and older browsers may experience issues displaying CAPTCHAs (see Frequently asked questions about Cloudflare bot products).
I want to run an automation application or a good bot and not get blocked
If you are running a good bot and it's still being blocked, contact Zendesk Customer Support.
What does Cloudflare bot management track?
- Scenario: You are running a good automation or a good bot on the request
form or the anonymous requests
API.
Cloudflare bot management does not track traffic on the API. It does track traffic on the form, even though it is not expected that the form has any traffic.
- Scenario: You have a custom web form for ticket submission.
Cloudflare bot management tracks the traffic for all custom web forms going through ticket submission.
I have a host mapped account, what should I know?
Cloudflare bot management tracks the traffic for host mapped accounts. This is not an option that you can disable in the CAPTCHA settings. CAPTCHA is enabled by default when you allow anybody to submit tickets and can't be disabled.
What is Cloudflare bot management?
Zendesk uses the Cloudflare Bot management feature. It prompts requesters for a CAPTCHA if the request matches certain criteria. For example, if you set a bot score threshold, the feature will prompt a CAPTCHA for all traffic that matches the bot score threshold value (see What is the difference between the threat score and bot management score?).
A bot score is a value that ranges from 1 (a bot) to 99 (a human). The CAPTCHA page displays a 403 status code if this is triggered.
Something has gone wrong, what do I do?
If you care experiencing issues, contact Zendesk Customer Support.
24 comments
Michael Collins
1. Can we see an image of what it will look like to a customer upon traffic misclassification? Are "Zendesk" and "CloudFlare" front and center in the messaging on that page?
2. Could you share some insight into how extremely rare defined? 1/100, 1/1000, or 1/100,000, or something else?
0
David Bjorgen
Extremely rare? Our clients have been complaining about it for the past week. In addition, our internal staff is having to complete Captchas to access the administrative back end. How do we turn off this dysfunctional feature?
5
Chain Bridge Developers
We submitted this form and didn't get any response for 3 weeks now. Are you sure this form is the way to go?
We think it is Zendesk who has to configure
cf.bot_management.verified_bot
in their Cloudflare dashbpard.2
Matthias Gidda
Does anybody else have the problem that due to this bot blocking thing, you cannot use SEO tools to crawl your Help Center anymore?
We always used 3rd party tools to check for broken links.
0
Julien Maneyrol
Hi there,
Is it possible to force offering the CAPTCHA? We have had a massive spam attack from China a couple of weeks ago via one of our contact form from the help center.
The spam attack was obviously done by a bot which used random emails from Chinese hosts IPs.
We have disabled the form and cleaned up our Support (bulk delete spam and users), but we would like to be sure that this won't happen again before re-enabling the form.
Thank you.
2
Martina Ksink
Hello, we are experiencing the same problem as Julien. We had 900 spam tickets during one months via one of our contact forms. Those emails come from Chinese email addresses, following a special pattern (numbers@ a Chinese email provider). We don’t want to disable the contact form, so at the moment, we can only mark them as spam. Thus, we also would like to know if a CAPTCHA can be forced.
Thank you!
1
Dion
CAPTCHA is required when the setting "anyone can submit tickets" is enabled. You can check this article for more information: Managing End-Users. You can also block the domain of those senders by adding them to the blocklist. Please see this article for more information: Using the allowlist and blocklist to control access to Zendesk Support
Hope this helps!
Dion
-2
Ronan McHugh
Hi Martina Ksink and Julien Maneyrol,
Apologies for the delay in getting back to you. I've created tickets to follow up on your issues.
Best regards,
Ronan
0
Julien Maneyrol
Hi @...,
Thank you for following-up.
The problem has been mitigated by removing placeholders in the automated reply.
Still, being able to fine-tune CPACHA (enforce it under certain circumstances) would be really helpful and much more secure.
Best regards,
2
Katrina Greeves
Agree with David Bjorgen this doesn't seem to be rare as we've also had escalating issues with this for the last month across both staff and end users. We have also heard from one of our partners that this also impacted their Zendesk account.
Also agree with Chain Bridge Developers we also requested a cloudflare exception, but there's no confirmation, nor guidance about how to configure the user agent string or feedback on why our app is getting blocked to give us confidence in a solution.
It makes sense Zendesk has control over the configuration of Cloudflare rules, and a quick check found a fun unresolved conversation in the Cloudflare community with the same issue.
We've embedded ZD Guide into our app, but the more our users access it, the more the captcha appears! Clearly our app is triggering cloudflare, even though we use a standard Chrome user agent. We also use the web widget so we cannot disable "anyone can submit tickets" to remove the compulsory captcha.
We feel stuck on a solution, so would love to hear from other users if they have found a solution / workaround.
From the Zendesk product side:
A. Is there any opportunity to look at the Zendesk challenge solve rate to help minimise the impact to real humans?
B. Is there any work planned to isolate cloudflare captcha to certain scenarios? e.g.
1. submitting a ticket (enable captcha on the ticket if anyone is allowed to submit a ticket)
2. viewing Guide (disable captcha - allow anyone to view guide using a validated browser / user agent)
3. use web widget (disable captcha - allow anyone to view guide using a validated browser / user agent)
4
Nathan Cassella
We've been experiencing the same issue that many users have brought up over the last month. All last year when I was my team was working on cleaning up our Guide; we didn't see a captcha once, now today alone, I've seen it five times in the last 30 minutes.
This is making both our internal and external customers frustrated and throwing a wrench into my push to have our customers use self-service.
When can we expect a resolution to this, or is this something else that's going to remain unresolved for years?
0
John Tieu
Hi Julien Maneyrol
We're seeing these spam tickets in Chinese as well. Can you clarify what you did to mitigate the issue? Did it permanently stop the spam?
Thank you
2
Julien Maneyrol
Hi John Tieu,
I followed the instructions from this article: https://support.zendesk.com/hc/en-us/articles/4408887368986 to remove placeholders that spammers target in our automatic replies.
Regards
1
Heather Rommel
Is Captcha also enabled for webwidget submitters or just Help Center form submitters?
0
Nara
0
Gamee Support
Hi,
Is there a way to have a captcha all the time?
At the moment whenever I test the Submit a request part, there is no Captcha.
I do not care if it has some detecting function, I would like it on all the time.
Thank you.
1
Noly Maron Unson
Hi Ferenc,
CAPTCHA has always been active and present hence it's been enabled by default and no further action is required. However, it's only running in the background and would only be visible if there's suspicious activity detected. At the moment, there is no option to always present the CAPTCHA for every time the end-user submits a request.
Hope this helps.
0
Gamee Support
Hi Noly,
Not really. I can read the article and see this. But I want captcha to show all the time. Not just when zendesk served thinks there is a bot attack.
0
Noly Maron Unson
Hi Ferenc,
This is not possible at the moment. I've marked this as product feedback for review, which means that your input will be aggregated as a part of our Voice of the Customer program that provides customer feedback to our product development teams.
Thank you.
0
Zbyněk Čepera
Hello,
I understand that captcha is not yet implemented for Web Widget. I want to ask if you are planning to do this and if so what is the ETA?
0
Jeff Mckenzie
This is a major security risk to all companies involved. Captcha needs to be present on every portal that has the capability to submit a service request. I have seen other posts as well where tickets are being submitted with subjects in Chinese and it is using placeholders to create the randomized tickets. This is insanely annoying as we are getting at least 10 of these tickets a day. We shouldn't have to come up with a workaround in my opinion. Zendesk needs to be made more secure. We are already considering switching support platforms because of other issues, and I'm sure this will be one of the cons added to our list as we review the pros and cons of using Zendesk versus another platform. I hope there is a quick resolution to this issue as attacks are becoming more prevalent.
1
Ruben
I'm jumping in with everyone else here recently to say that it would be beneficial for all to add the captcha option back onto the web forum. We get spam tickets from Chinese email addresses daily. They use different email addresses each time, and the email subject and bodies are all similar but different enough that creating triggers is difficult. Additionally, we do have users who are from China, so simply blacklisting the domain is out of the question. Simply implementing the ability to have a captcha on the web forum would solve all of these issues.
0
Shawna James
0
Support
Subscribing to this feature.
Last 1-2 month(s), up to 10 “Chinese spams” are delivered to my ZenDesk every day. It's very annoying.
1