Question
How can I combat spam submitted via web service?
Answer
There are several ways to prevent spam:
Require authentication for request and uploads APIs
In Admin Center, click People in the sidebar, then select Configuration > End users > enable Anybody can submit tickets > enable Anybody can submit tickets > enable Require authentification for request and uploads APIs > Save tab.
For more information, see this article: Requiring authentication for the requests API endpoint.
Adjust your placeholders
The primary goal of spammers is to use your triggers to pass spam content to other users, through placeholders. Zendesk automatically suppresses certain placeholders when certain criteria are met. For more information, see the article: Understanding placeholder suppression rules.
However, if you have customized triggers, you may still have placeholders that pass content of the ticket to the end user upon ticket creation, for example, {{ticket.title}}
.
Step 1: Remove placeholders that spammers target
Update your account's version of the Notify requester and CCs of received request trigger.
- If your trigger doesn't show it, add the condition Current user | Is | (end user)
- Under Actions, refer to the Email subject and Email body fields. Remove any reference to the placeholder
{{ticket.title}}
or any other placeholder that renders content. Removing this placeholder renders your trigger useless to spammers, since it will no longer share their spam content with recipients. This step doesn't stop the flow of spam tickets, but prevents spammers from reaching your customers.
Step 2: Make sure you have a trigger for agent-created tickets
If your agents create tickets on behalf of end users, for example, sending out proactive emails, you need a trigger that notifies users of the content of those tickets, but doesn't allow spammers to do the same.
New accounts already have the default trigger Notify requester of new proactive ticket. However, older accounts may need to create one.
Temporarily block email domains using the blocklist
While the above recommendations will protect your account from further spam, it will not immediately stop ticket creation. If you want to block ticket creation regardless of channel, use the blocklist feature with the blocklist modifier reject: prepended to the domain.
blocklist: reject:domain.com reject:name@gmail.com
For more information on spam prevention on other channels, see the article: Spam prevention resources.
5 comments
Ed Ball
Can you reject/suspend emails with a wildcard in the blocklist? We can't block specific emails since he changes the email after every ticket he submits. I have reported him to google, but who knows what good that would do. He always uses the same name then adds a + and then some random characters. So stopping him is a challenge. We suspend them as they come in but really that is futile since he never reuses them.
reject:NAME*@gmail.com or something like that?
We have a very persistent person who is using a bot for sure to spam us for help. We have found no way to stop this from happening. I do not see what channel the tickets are using, but it does not appear to be email. Just looking for anyone that may have had to deal with something similar.
We have a ticket with zendesk, but turning off account creation is not an option at this time.
2
Antoni Saetta
With a fully open instance of Zendesk where we reply to our customers via e-mail, how would you update a trigger that notifies them of our reply via e-mail to combat spam? The subject surely has to be "Re: {{ticket.title}}" to re-use what the customer set as a subject in his initial e-mail.
0
Nara
0
Amanda Oka
We no longer use the ticket.title placeholder and are currently getting hit with gmail accounts.... I can't block gmail... they used to have 'xxxxxxxxxxxxx' or something incoherent that could be identified quickly and dealt with, but these simply have one word, so I'm not sure what they're gaining, especially since our subject line is static in our ticket notifications.
0
Christine Diego
If you are experiencing spam issues, we ask that you please open a ticket with our Support team so we can investigate specifics with your account.
0