To keep customers safe from bad bots when accessing your help center content, Zendesk uses CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). A CAPTCHA form renders whenever a bot is detected. Learn more about help center spam protection.
CAPTCHA is a Cloudflare rule that uses the Cloudflare Bot management features. The rule prompts requestors for a CAPTCHA if the request matches certain criteria, such as:
- Having a BotScore that is lower than the threshold
- Excluding verified bots (such as search crawlers)
- There being a /hc path for example, which, depending on your settings, might redirect to the sign-in page for:
- Your login: https://z3ncfblock1.zendesk.com/auth/v2/login/
- Your sign up: https://z3ncfblock1.zendesk.com/auth/v2/login/registration
- Ticket submissions: https://z3ncfblock1.zendesk.com/hc/en-us/requests/new
This article covers the following frequently asked questions and scenarios:
- Why do I only see CAPTCHA sometimes?
- Why am I facing an error when rendering a CAPTCHA?
- I want to run an automation application or a good bot and not get blocked
- What does Cloudflare bot management track?
- I have a host mapped account, what should I know?
- What is Cloudflare bot management?
- Something has gone wrong, what do I do?
Why do I only see CAPTCHA sometimes?
Cloudflare’s Bot Management tool analyzes all Zendesk traffic, and scores it based on how likely it is to come from a human, or a bot. CAPTCHAs appear when traffic is scored within a certain threshold, as it is mostly meant for bots. A bot score of <5 emphasizes just how are strict we are on bots in particular.
It is extremely rare that traffic from an actual human is misclassified as bot traffic by Cloudflare.
Why am I facing an error when rendering a CAPTCHA?
Ad blockers can turn off CAPTCHAs in certain browsers and older browsers may experience issues displaying CAPTCHAs (see, Frequently asked questions about Cloudflare bot products).
I want to run an automation application or a good bot and not get blocked
If you are running a good bot and want to have it added to the Cloudflare allowlist (cf.bot_management.verified_bot), submit a request to Cloudflare.
What does Cloudflare bot management track?
- Scenario: You are running a good automation or a good bot on the request form, or the anonymous requests API.
Cloudflare bot management does not track traffic on the API. It does track traffic on the form, even though it is not expected that the form has any traffic.
- Scenario: You have a custom web form for ticket submission.
Cloudflare bot management tracks the traffic for all custom web forms going through ticket submission.
I have a host mapped account, what should I know?
Cloudflare bot management tracks the traffic for host mapped accounts - this is not an option that you can disable in the CAPTCHA settings.
What is Cloudflare bot management?
Zendesk uses the Cloudflare Bot management feature. It prompts requestors for a CAPTCHA if the request matches certain criteria. For example, if you set a bot score threshold, the feature will prompt a CAPTCHA for all traffic that matches the bot score threshold value (see, What is the difference between the threat score and bot management score?).
A bot score is a value that ranges from 1 (a bot) to 99 (a human). The CAPTCHA page displays a 403 status code if this is triggered.
Something has gone wrong, what do I do?
- Scenario: Your domain is experiencing issues.
Exclude the domain and inform support.
- Scenario: Your monitoring solution is experiencing issues.
Exclude the user agent and inform support
9 Comments
1. Can we see an image of what it will look like to a customer upon traffic misclassification? Are "Zendesk" and "CloudFlare" front and center in the messaging on that page?
2. Could you share some insight into how extremely rare defined? 1/100, 1/1000, or 1/100,000, or something else?
Extremely rare? Our clients have been complaining about it for the past week. In addition, our internal staff is having to complete Captchas to access the administrative back end. How do we turn off this dysfunctional feature?
We submitted this form and didn't get any response for 3 weeks now. Are you sure this form is the way to go?
We think it is Zendesk who has to configure
cf.bot_management.verified_botin their Cloudflare dashbpard.Does anybody else have the problem that due to this bot blocking thing, you cannot use SEO tools to crawl your Help Center anymore?
We always used 3rd party tools to check for broken links.
Hi there,
Is it possible to force offering the CAPTCHA? We have had a massive spam attack from China a couple of weeks ago via one of our contact form from the help center.
The spam attack was obviously done by a bot which used random emails from Chinese hosts IPs.
We have disabled the form and cleaned up our Support (bulk delete spam and users), but we would like to be sure that this won't happen again before re-enabling the form.
Thank you.
Hello, we are experiencing the same problem as Julien. We had 900 spam tickets during one months via one of our contact forms. Those emails come from Chinese email addresses, following a special pattern (numbers@ a Chinese email provider). We don’t want to disable the contact form, so at the moment, we can only mark them as spam. Thus, we also would like to know if a CAPTCHA can be forced.
Thank you!
CAPTCHA is required when the setting "anyone can submit tickets" is enabled. You can check this article for more information: Managing End-Users. You can also block the domain of those senders by adding them to the blocklist. Please see this article for more information: Using the allowlist and blocklist to control access to Zendesk Support
Hope this helps!
Dion
Hi Martina Ksink and Julien Maneyrol,
Apologies for the delay in getting back to you. I've created tickets to follow up on your issues.
Best regards,
Ronan
Hi Ronan McHugh,
Thank you for following-up.
The problem has been mitigated by removing placeholders in the automated reply.
Still, being able to fine-tune CPACHA (enforce it under certain circumstances) would be really helpful and much more secure.
Best regards,
Please sign in to leave a comment.