How can I combat spam submitted via web service?

Question

Answer

There are several ways to prevent spam:

Require authentication for request and uploads APIs

In Admin Center, click People in the sidebar, then select Configuration > End users > enable Anybody can submit tickets > enable Anybody can submit tickets > enable Require authentification for request and uploads APIs > Save tab.

For more information, see this article: Requiring authentication for the requests API endpoint.

Adjust your placeholders

The primary goal of spammers is to use your triggers to pass spam content to other users, through placeholders. Zendesk automatically suppresses certain placeholders when certain criteria are met. For more information, see the article: Understanding placeholder suppression rules.

However, if you have customized triggers, you may still have placeholders that pass content of the ticket to the end user upon ticket creation, for example, {{ticket.title}}.

Step 1: Remove placeholders that spammers target

Update your account's version of the Notify requester and CCs of received request trigger.

If your trigger doesn't show it, add the condition Current user | Is | (end user)
Under Actions, refer to the Email subject and Email body fields. Remove any reference to the placeholder {{ticket.title}} or any other placeholder that renders content. Removing this placeholder renders your trigger useless to spammers, since it will no longer share their spam content with recipients. This step doesn't stop the flow of spam tickets, but prevents spammers from reaching your customers.

Step 2: Make sure you have a trigger for agent-created tickets

If your agents create tickets on behalf of end users, for example, sending out proactive emails, you need a trigger that notifies users of the content of those tickets, but doesn't allow spammers to do the same.

New accounts already have the default trigger Notify requester of new proactive ticket. However, older accounts may need to create one.

Temporarily block email domains using the blocklist

While the above recommendations will protect your account from further spam, it will not immediately stop ticket creation. If you want to block ticket creation regardless of channel, use the blocklist feature with the blocklist modifier reject: prepended to the domain.

blocklist: reject:domain.com reject:name@gmail.com

Important: If you do not use a modifier, only domains incoming from the email channel will be affected.

For more information on spam prevention on other channels, see the article: Spam prevention resources.

THIS SECTION IS AI CONTENT. DON'T EDIT OR DELETE.

How do I combat spam submitted via web service? How do I prevent API spam? How do I stop web service bot requests?

You can prevent spam by requiring authentication for request and uploads APIs, removing placeholders that spammers target from your automated notification rules, or temporarily blocking email domains using the blocklist feature.

How do I require authentication for request and uploads APIs? How do I turn on API authentication for end users? How do I protect request endpoints?

In Admin Center, click People in the sidebar, then select Configuration > End users. Enable Anybody can submit tickets, enable Require authentification for request and uploads APIs, and save the tab.

How do I update my notification rules to stop spammers? How do I remove placeholders targeted by spammers? How do I configure the notify requester trigger against spam?

Open your version of the Notify requester and CCs of received request trigger.
If your trigger does not show it, add the condition Current user | Is | (end user).
Under Actions, refer to the Email subject and Email body fields.
Remove any reference to the placeholder {{ticket.title}} or any other placeholder that renders content.

How do I block ticket creation from specific email domains? How do I reject spam domains using the blocklist? How do I use the blocklist modifier to stop spam?

You can use the blocklist feature with the blocklist modifier reject: prepended to the domain or email address in your system configuration. For example, enter reject:domain.com or reject:name@gmail.com to block ticket creation across channels.

Does the blocklist affect channels other than email? Can I block web service spam with a standard blocklist? What happens if I do not use a modifier in the blocklist?

If you do not use a modifier, only domains incoming from the email channel will be affected. To block ticket creation regardless of the channel, you must use the reject: modifier.