Even it says "via Web Widget", there are tickets created via the Requests API which is open for anonymous requests. This appears to be a probing behavior performed by external actors against the API endpoint, likely trying to understand how accounts relay content included in the subject, body, and the user name.
There are a few things you can do to prevent this type of spams.
- Do not use name or subject placeholders in specific triggers
Make sure there are no name or subject placeholders included in triggers that fire on ticket creation, especially if your use case allows anonymous requests to be submitted.
Examples of these placeholders are:
• ticket.requester.first_name
• ticket.title - Require authentication for request and uploads APIs
A more comprehensive defense is to require authentication for the requests API endpoint and uploads API endpoint, but note that some methods of ticket creation, such as the Zendesk Web Widget Contact form, custom apps, and external web forms, rely on the unauthenticated anonymous ticket creation process to submit tickets. - Add the domain or email address to the blocklist
This will prevent the ticket creation from any email address or any domain. Make sure to use the `reject:` and place it in front of an email address or domain list in the blocklist. By doing this, tickets will not be added to the suspended tickets queue, and there will be no record of the ticket in your Zendesk account.
Example: If you need to reject the domain "@spam.com", add "reject:spam.com" in the blocklist.
Comments
0 comments
Please sign in to leave a comment.