An open Zendesk environment, where anyone can submit a request, can also open the gates for unwanted tickets to be created against your account.

This workflow includes the steps below.

  • Step 1: Remove placeholders from your account's first-reply triggers
  • Step 2: Disable the option 'Anybody can submit tickets'

Open means everyone can access your help center and submit support requests. Some customers choose this setup if they sell products and support the general public. With this option, anyone can submit any type of support request and create new user accounts in your Zendesk account. For more information about user access, see this article: Understanding options for end-user access and sign-in

However, when you keep Zendesk open, anyone can submit requests that don't relate to your business and use any email address to create tickets, all without going through a proper verification process.

Abusive actors can use your Submit a request form to send messages to third-party email addresses that don’t belong to your customers.

Once someone submits a ticket, your first-reply triggers may send notifications with the message details (such as the title and description) to the third-party email address.

Even if you require help center sign-in or remove the ticket form from the Submit a request page, anonymous users can still create requests.

If your account allows anyone to submit tickets, abusive actors can use the api/v2/requests API endpoint to programmatically create multiple tickets and bypass restrictions, creating relay spam in your account.

Abusive actors don’t need to use your help center’s Submit a request page. They can use any API client to submit tickets, enter specific metadata for your form, and use IP rotation to generate multiple spam tickets.

Step 1: Remove placeholders from your account's first-reply triggers

This will prevent the spam message from being relayed from your account, but it won't block the unwanted ticket creation process.

The following placeholders are targets for relay spam because they use an anonymous endpoint that allows anyone to enter any text or links they want.

  • {{ticket.title}}
  • {{ticket.requester.first_name}}
  • {{ticket.requester.last_name}}
  • {{ticket.requester.name}}

To prevent spam tickets from being created in your account, you need to remove these placeholders and replace them with plain text.

For more information, see this article: Removing specific placeholders from first-reply triggers

Note: If you add these placeholders to dynamic rule settings, you must remove or replace them individually in each specific rule.

Step 2: Disable the option 'Anybody can submit tickets'

This blocks ticket creation through the methods above, since anonymous users can no longer submit tickets.

This change will block spam and unwanted tickets by allowing only verified users to contact you directly.

Take this step only if your business workflow doesn’t require tickets from all users, including anonymous ones.

For more information on disabling this option, see this article: Disabling the 'Anyone can submit tickets' option

If your business workflow relies on anonymous users, you need to immediately remove specific placeholders from your account’s first-reply triggers. This prevents your account from relaying spam messages, but it won’t stop unwanted tickets from being created.

For more information, see these articles:

  • Removing specific placeholders from first-reply triggers
  • Permit only added users to submit tickets
  • How to spot a phishing attack
  • Resources for preventing and managing spam
  • General security best practices
Powered by Zendesk