Feature request: Please provide more control over what methods unregistered users can submit tickets through for restricted instances.
Background: By restricted instances, I'm referring to the setting of allowing "Anybody can submit tickets, registration required". More details are here: https://support.zendesk.com/hc/en-us/articles/203663756.
- As acknowledged in the article, some businesses provide support primarily via email. Restricting users from submission until they fully register a new email address can create a problematic delay for that end-user's ticket receiving support. The solution for this is to have an open instance.
- The problem with an open instance is, coupled with the ability to let a previously unknown email address automatically create an End User account to instantly create a support ticket (via the Email Channel), is the allowance for anyone to anonymously use the Web Form to create a ticket with any email address they choose without challenge or question.
- Accepting and utilizing any email address via a simple text form without any form of verification is a security vulnerability. Today our Zendesk instance effectively got hijacked via this feature and turned into an spam email server with very little difficulty. They had a list of people they wanted to spam. They simply recursively entered their spam message into the Subject & Description fields and kept entering the spam recipient into the "Your email address" field.
Requested Fix: Either:
- Allow us to separately restrict anonymous restrictions via the Email Channel or Web Forms Channel.
- Improve the way that anonymous Web Forms are handled so that email addresses aren't accepted without challenge or question.
Please sign in to leave a comment.