How can I combat spam submitted via web service?

Question

Answer

There are several ways to prevent spam:

Require authentication for request and uploads APIs

In Admin Center, click People in the sidebar, then select Configuration > End users > enable Anybody can submit tickets > enable Anybody can submit tickets > enable Require authentification for request and uploads APIs > Save tab.

For more information, see this article: Requiring authentication for the requests API endpoint.

Adjust your placeholders

The primary goal of spammers is to use your triggers to pass spam content to other users, through placeholders. Zendesk automatically suppresses certain placeholders when certain criteria are met. For more information, see the article: Understanding placeholder suppression rules.

However, if you have customized triggers, you may still have placeholders that pass content of the ticket to the end user upon ticket creation, for example, {{ticket.title}}.

Step 1: Remove placeholders that spammers target

Update your account's version of the Notify requester and CCs of received request trigger.

If your trigger doesn't show it, add the condition Current user | Is | (end user)
Under Actions, refer to the Email subject and Email body fields. Remove any reference to the placeholder {{ticket.title}} or any other placeholder that renders content. Removing this placeholder renders your trigger useless to spammers, since it will no longer share their spam content with recipients. This step doesn't stop the flow of spam tickets, but prevents spammers from reaching your customers.

Step 2: Make sure you have a trigger for agent-created tickets

If your agents create tickets on behalf of end users, for example, sending out proactive emails, you need a trigger that notifies users of the content of those tickets, but doesn't allow spammers to do the same.

New accounts already have the default trigger Notify requester of new proactive ticket. However, older accounts may need to create one.

Temporarily block email domains using the blocklist

While the above recommendations will protect your account from further spam, it will not immediately stop ticket creation. If you want to block ticket creation regardless of channel, use the blocklist feature with the blocklist modifier reject: prepended to the domain.

blocklist: reject:domain.com reject:name@gmail.com

Important: If you do not use a modifier, only domains incoming from the email channel will be affected.

For more information on spam prevention on other channels, see the article: Spam prevention resources.