Russian spam, 37K so far, need a way to mark them all as spam

41 Comentarios

  • Jiri Fait
    Acciones de comentarios Permalink

    Lorin, we faced the same problem recently as one of our Submit a request form on our Help Center was attacked by some russian spam bot. ZD Support recommended to activate the Captcha on our help center forms, we did it and it seems it helped a lot.

    0
  • Lorin Rivers
    Acciones de comentarios Permalink

    too bad it’s a vulnerable form.

     

    And too bad Zendesk makes it our responsibility to clean it up. 

    3
  • Nicole - Community Manager
    Acciones de comentarios Permalink

    Hi Lorin - 

    Have you implemented the content moderation filter and are you leveraging the functionality to "suspend user and delete all posts"? I realize it isn't a complete solution, but this should really help. 

    Our spam & abuse team is currently evaluating tools in addition to akismet to assist with spam; hopefully we'll have an update on that in the near future as well. 

    -1
  • Michael Fischer
    Acciones de comentarios Permalink

    If you enable captcha, it will stop.  Support has been less than helpful with cleaning up.  I am taking that there is no plan for this on the ZD side.

    0
  • Nicole - Community Manager
    Acciones de comentarios Permalink

    Michael, the focus for the product team has been on preventing things getting in in the first place, meaning improving the filtering and content blocking. So there are plans, but they're more around stopping the problem in the first place at the moment. 

     

    -1
  • Anthony Williamson
    Acciones de comentarios Permalink

    We have enabled Captcha but it does not help. We have also blacklisted *.ru but that only slightly helps. We have had to resort to sign up before making a request. This is not ideal as we are a consumer based product and want to help consumers as quickly as possible. We also now have to filter through 50 suspended tickets an hour to find the 1 or 2 consumers who have yet to sign up but need assistance.

    This started all of the sudden in the past few hours after not enabling sign up for months. Captcha Was already enabled this time...

    0
  • Ross Newton
    Acciones de comentarios Permalink

    We just got spammed with about 4000 Russian spam tickets. All from different accounts - so blocking an account does no good.

    Zendesk better get this fixed or we'll have no choice but to part ways. We shouldn't have to implement our OWN Google Captcha!  Why doesn't Zendesk have this as an option?

    EDIT - I see we actually had the Captcha enabled (apparently Zendesk does do this for you - but not well) and we still got Spammed. How can you not fix this somehow or at least let us bulk delete in mass?  All my tickets came within a few minutes. Is there now way to bulk delete by time?  This is a customer killer. We have no choice but to drop Zendesk if we can't stop and at least get rid of spam.

    The hits just keep coming with Zendesk.

    0
  • Michael Fischer
    Acciones de comentarios Permalink

    Ross are you saying that you have the zendesk captcha enabled and it was defeated by a spam bot?

     

     

    edit - i now see your edit.  you might want to open a support ticket for them to look at it

    0
  • Ross Newton
    Acciones de comentarios Permalink

    Yes, I'm saying that.  Captcha isn't perfect. I opened a support ticket. 

    0
  • Ross Newton
    Acciones de comentarios Permalink

    So after getting support from Zendesk, apparently we didn't have Captcha enabled.  During the attack, Zendesk actually enabled Captcha and that's what stopped the attack from growing beyond 4000 support tickets.

    We were confused because we logged into check if we had Captcha enabled and it was enabled (because Zendesk enabled it) but of course they never bothered to communicate to us that they did that and/or what was going on.

    Sorry for the confusion.

    FWIW - inexplicably there still isn't an easy way to bulk delete 4000 spam tickets.  Literally no way.  Our plan level isn't high enough for third party apps or automation and we're not going to write something using the API just to delete Spam.  So, unless Zendesk Support can kill the tickets, we'll probably start to discuss migration from Zendesk.  Even though future attacks are unlikely because of Captcha being disabled.  Just the fact that you can't bulk delete past 100 tickets at a time is yet another major feature lacking for us.  This one is probably the crowbar that broke the camel's back finally.

    0
  • Jamie Vogter
    Acciones de comentarios Permalink

    We were attacked last weekend with 10.4K tickets and enabled Captcha. Got attacked by the same boy even with them blacklisted and created 4.4K tickets. This is insane that even with Captcha and blacklist the attack went through again.

    0
  • ChayWesley
    Acciones de comentarios Permalink

    We're now getting thousands of these each night as well, but they're now coming through email so the captcha does nothing to help.  The only way to stop it is to temporarily deactivate our support email address.  We use Google Suite, and have email forwarding per the Zendesk best practices knowledge-base article.  In this configuration, Google seems to simply rewrite the mail envelope and pass it on to Zendesk without doing any spam filtering on it.  This configuration also has Google send an additional copy of the email to a local Gmail account for independent archival.  When the separate copy arrives there, Google properly marks *every single one of these* as spam.  I have no idea why Zendesk isn't flagging any of them as spam.  I do know something has got to improve, and soon.  As others have said, the Zendesk provided tool for deleting these messages only works with up to 30 messages at a time, which is quite frankly offensive.  It portrays a complete lack of respect for the value of my time.

     

    1
  • Bryan Flynn
    Acciones de comentarios Permalink

    Hi Chay (and others who come across this) -- these are a few things that should be done:

    1. Turn on DMARC -- please see Authenticating incoming email using DMARC. This can be very effective but sometimes gives false positives, so please read the article.

    2. Blacklist sender's domain -- see Using the whitelist and blacklist to control access to Zendesk Support 

    3. Mark existing tickets that made it through as spam -- see Marking a ticket as spam and suspending the requester. This helps train the system of what to block.

    4. For those other customers who are receiving spam via Help Center -- see About Help Center spam prevention. In particular, turning on Require CAPTCHA can be particularly effective (Admin > Settings/Customers).

    5. Open a ticket at support@zendesk.com -- if the above steps don't help then looking at your specific account is the best next step. Spam can be tough to get rid of but we're here to help. Please reach out to us directly if needed.

    Thanks for posting.

    Edit: Also going to reference this article:

    Spam prevention resources

    0
  • ChayWesley
    Acciones de comentarios Permalink

     

    In my case:
     
    1) DMARC is already turned on.
    2) The sender's addresses are spoofed... the emails are all addressed from different senders / domains, including many legitimate domains (gmail.com)
    3) We've done that now for thousands of these messages (30 at a time).
    4) ...ok.
    5) ...ok.
     
     
    2
  • Bryan Flynn
    Acciones de comentarios Permalink

    Point taken on the difficulty in marking tickets as spam in the UI. I've raised this with product management.

    Just to be complete, for those who might want to and can script something like this, there is this API endpoint that could be used:

    PUT /api/v2/tickets/mark_many_as_spam.json?ids={ids}

    I know that might already be known, but wanted to mention it.

    0
  • Ross Newton
    Acciones de comentarios Permalink

    Oh yeah... like any of us can "whip up" a script that uses an API endpoint.... seriously?

    Even more pain... Zendesk support temporarily increased my plan to allow me to make use of Automations in order to create an Automation to remove the Spam tickets... totally worthless and impossible to use.

    Inexplicably, the only good tool they give you to "select" your Spam is by the "Number of Hours Since Received".  So you have to go out to some website that can calculate the actual hour count since the date of the all the Spam tickets, put in that number (e.g. 145 hours), and cross your fingers that the Automation will pick them up - which it never did in my case.

    Selecting tickets by ticket number range... NOPE. Not offered.

    Selecting tickets by timestamp date range... NOPE. Not offered.

    Selecting ticket by sender address... yes, but this offers no help since every ticket is from a different sender with a different message.

    We had to manually remove every ticket doing a few hundred a day.  It's like the developers at Zendesk are missing their brain.  Why would you create Automations but not offer timestamp date-range or at least ticket number range?  Either of these would ZAP all the spam in one go. Ugh... 

    Help Scout is looking really good these days.

    0
  • Rick Christiansen
    Acciones de comentarios Permalink

    Unfortunately our site took a hit the same way Mr. Newton's did. We had approximately 2000 tickets open per minute from various emails. It finally stopped around 16000. Due to the nature of the spam, CAPTCHA and Blacklisting won't do much. Deleting these was also painful.

    It would be very valuable to have some development resources look into ways to prevent this as well as make clean up easier.

    0
  • Bryan Flynn
    Acciones de comentarios Permalink

    Spamming is a serious issue that our engineering team is analyzing. In the meantime, there are ways of bulk deleting tickets, including using Automations as outlined here: How can I bulk delete spam tickets in Zendesk?

    I'll repeat this link, too: Spam prevention resources

    Hopefully one of these articles offer something that works for your instance and that wasn't considered earlier. Of course the best solutions will prevent spam instead of having to react to it. Our team's working on that.

    Along with the points from the above articles, outside of turning email notifications off is making your Zendesk instance less of a target by removing {{ticket.comments_formatted}} and {{ticket.title}} from your trigger email notifications, which can carry malicious payloads. Offering a static, generic response can still offer feedback while reducing spamming value to bad actors.

    0
  • Karl Macleod
    Acciones de comentarios Permalink

    We're having a similar issue on our Zendesk (got a few hundred last night - less than half were detected properly as spam - got another few hundred in the last few hours). I have added "mail.ru" to our blacklist, so hoping this will see a reduction. The weird part is that most of these messages are quite similar, so for some of them to get caught, but not the other does seem a bit odd - upon inspecting the headers for the non-caught ones, it seems Zendesk's own spam prevention is marking them as potential spam, but they are still making it in.

    I noticed many of these are coming from "gmail.com", which I thought enabling the DMARC verification would actively prevent (since they aren't coming from real Gmail mail servers), however this seems to be ineffective in this case. I think this due to Gmail's lax DMARC policy (perhaps why the Russian spammers have chosen this domain to spoof, along with mail.ru):

    v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com

    This suggests that no action would be taken for email from *@gmail.com (excluding subdomains) unless I am mistaken. Zendesk doesn't explicitly indicate whether they follow the policies specific in the DMARC record (thus "none" would result in no action taken), or whether they always mark failed DMARC messages as spam. The spam messages definitely do fail the DMARC test as indicated in the headers, as well as SPF (since it's not the Gmail servers sending the messages!).

    Luckily, we haven't been bombarded as much as some looking at the above, so we've been able to manually clean them up, but still not ideal of course.

    As mentioned by someone above, we also initially had the spam coming through the online form (which the automatically enabled CAPTCHA stopped for us), but they have migrated to the email channel since.

     

    1
  • Matt Hannam
    Acciones de comentarios Permalink

    This is wildly frustrating.  We have another 10k spam messages sent directly to our Zendesk support email.  

    -There are no credible plugins to bulk delete spam.
    -Creating an automation does not work as there are no common attributes between the messages (other than time received, however that's not a filter option.
    -The API returns 100 results at a time and we need to parse the JSON results, grab the ticket ID's and send them back to the API as a DELETE.  So we'll build this from scratch.

    I can't believe we will need to expend developer resources to handle this.  So frustrating.

    1
  • Emy
    Acciones de comentarios Permalink

    @Matt Hannam: We are having the same problem. Those SPAM messages were sent directly to our Zendesk Support Email, and it's causing us a huge issue as well as frustration. Again, we have tried everything and the issue still persists. I have no idea what the root cause is. So annoying and frustrating. 

    0
  • Matt Hannam
    Acciones de comentarios Permalink

    @emy- It turns out the Zendesk out of the box configuration works as an email relay for spammers.  Basically, if someone emails your support address, the destination email gets a "Your request has been received: [subject line of the email]" message forwarded to the sender.  So a spammer can send an email with their target as the sender.  The sender will get an auto response from your Zendesk trigger and the email subject gets echoed back and the body of the email shows up in the ticket comments link.

    So they can forward huge volumes of emails to through your Zendesk account, which explains the motivation behind the deluge of emails going directly to our Zendesk support email.

    To prevent this, you have to add additional conditions to your triggers that auto-reply to the specified email address.

    What's curious is that I haven't been able to find a word about this problem or solution anywhere in the Zendesk KB.  So frustrating. 

    Then you have to create a new trigger for Proactive tickets:

    The need for the secondary trigger comes into play when you are creating tickets on behalf of requesters (sending out proactive emails, or any scenario where you need to send out a message on the creation of the ticket). When an agent creates the ticket, there is no risk to send out the initial message, as non-end-users are inherently trustworthy (and, without it the comment in the ticket is never sent)

    2
  • Emy
    Acciones de comentarios Permalink

    Hey @Matt! Thanks a ton for your response!! I have spent a huge amount of time trying to search for a solution to resolve this problem completely and all of what I got is just general or basic information from Zendesk Support that sent me to nowhere. Just to let you know I really appreciate your suggestions! I will follow them to see if that can prevent future SPAMers. Probably Zendesk is having the same issue and they are seeking for help (if any)...

    0
  • Stan Podoxin
    Acciones de comentarios Permalink

    Hello @Matt,

     

    We are among the "victims" of this Russian spam as well. Thank you so much for providing the solution! Would you mind elaborating the scenario itself a bit more? If a spammer sends an email to our support email address, the spammer him/herself is actually the sender. So the spammer's email address is the source address. Therefore, the auto-response "Your request has been received..." will be sent back to the spammer. To generate thousands of these emails, the spammer will have to use thousands of different source email addresses. How can one generate an email with different source addresses unless he/she has thousands of different email accounts (which does not make a lot of sense)? And why would one want to do this? I'm sure I'm missing something here, so I'll be grateful for any clarification.

    0
  • Max McCal
    Acciones de comentarios Permalink

    Hi, all - 

    Allow me to elaborate as the product manager for abuse prevention at Zendesk. We're sorry for not responding here sooner. As you can imagine, elaborating on how spam is created is a tricky subject, as we're anxious about sharing a recipe for how to send more spam. We're currently being targeted by a persistent group of spammers who are using a technique called spoofing to create these tickets. It's a common and often non-malicious technique, which is why our Sender Authentication is good -- but not perfect -- protection.

    We have been doing a lot of work to reactively fight these attacks, and have staff dealing with them round the clock. This has had some success mitigating the problem, but it's insufficient. We aren't able to detect and stop all of them fast enough.

    Our development team is working on a new spam filter that will go live as soon as we are safely deploy it. We are looking for groups who are willing to trial it, which will help us to tune the model and make sure it's working correctly. If you'd be willing to participate in an early access program for our new spam prevention tool, please reply to this post, and we will reach out to you directly. You can also contact us by creating a ticket as well. 

    Lastly, we are working on a tool for deleting spam tickets in bulk. This will be something we can hopefully start offering as a service in the next two weeks. Cleaning up these issues after the fact seems to be one thing we can try to improve on.

    We're working very hard to do what we can right now. We have had some issues with our tools, which did not turn out to be up to the task of handling these coordinated attacks. Obviously, it's our responsibility to stop these, and we're working on that goal with all effort. It doesn't mitigate what's already happened, and for that we apologize. 

    7
  • Jiri Fait
    Acciones de comentarios Permalink

    Hi Max, we are definitely interested in this EAP. Thanks

    0
  • Stan Podoxin
    Acciones de comentarios Permalink

    Hi Max,

     

    Thank you for your honest and professional response. Highly appreciated. Yes, I'm familiar with spoofing. Still not sure though why would one want to spam, especially if they are doing this, as you've mentioned, out of non-malicious reasons. For fun? Anyway, thanks again and yes, we are interested in the early access program for your new spam prevention tool.

    0
  • Matt Hannam
    Acciones de comentarios Permalink

    They're not doing it for fun.  They're using your Zendesk account as an email relay to send spam notification emails to people who are not your customers. 

    They spoof the sender email with their target's email.  Your Zendesk account replies automatically with "Ticket Received: " [Title of the spam message] email to the (target) recipient.  The body of the spam email is visible inside the ticket.  

    This open mail relay is the default behavior for Zendesk Support unless you add the additional conditions to the auto-reply trigger.  

    0
  • James Jarvis
    Acciones de comentarios Permalink

    Hello Max - having spent most of today managing through this, I am no Zendesk expert either. I would be interested in ANYTHING to prevent this happening again. Unfortunately we have many customers who use free emails services so can't easily blacklist obvious domains, though I have today spent quite some time blacklisting quite a few Russian email domains. No Russian customers yet. 

    thanks

    James Jarvis

    Head of Customer Relationships and Support

    1
  • Jamie Vogter
    Acciones de comentarios Permalink

    Hi Max,

    We would love to take part in this. We have submitted tickets and have not had an issue with this until today. We received a small amount (looks like they were recognized as spam after about 50 tickets and the rest were marked as so) today for the first time in months.

    Thank you!

    0

Iniciar sesión para dejar un comentario.

Tecnología de Zendesk