F

On our side, as we have a limited scope for end users, we just put several domains in the authorized list, and we block everything else in the blocklist using an asterisk (*).

It used to work properly, until we started to receive some spams (5 so far) from 'qq.com' and ‘bccto.cc’. It all started on April 22, 2024.

**UPDATE (2024-05-07)**
Here's the recommendation I just received from Zendesk Support:

Go to Admin Center > People > End users > Anybody can submit tickets > Enable and check “Require authentication for request and uploads APIs.”

If this option is unchecked, spammers can use the Requests API to create tickets. They will appear as created from the Web Widget because this is the API that the Web Widget uses to create tickets.

I am just trying it out right now and seeing if it will solve the issue. As we do not use the Web Widget on our side, this would be an easy solution to this problem. I hope it could be helpful for some of you too!