If you're a Zendesk admin, you've probably noticed something troubling over the past few months: your support inbox is being flooded with spam tickets, or worse, people are complaining they're receiving suspicious emails "from" your company that you never sent.
You're not alone. And no, you didn't get hacked in the traditional sense.
This is a widespread issue affecting Zendesk users globally, and it's been making headlines in the cybersecurity world. From Fortune 500 companies to small support teams, the problem has exposed a critical weakness in how many Zendesk instances are configured by default.
Read Time: 14 minutes
What Exactly Is Happening?
Bad actors have figured out how to exploit Zendesk's default settings to do two very annoying things:
1. Flood your support queue with spam tickets – They create thousands of fake support requests, burying your real customer tickets in garbage.
2. Use your Zendesk instance as a spam relay – They submit tickets using other people's email addresses, and Zendesk dutifully sends those people a "Your ticket has been received" confirmation email. That email looks like it's from YOUR company, not Zendesk.
The second scenario is particularly nasty. Imagine Brian Krebs (yes, the famous cybersecurity journalist) receiving thousands of emails from companies like The Washington Post, Discord, NordVPN, and Tinder – all because attackers exploited their Zendesk configurations. That's exactly what happened in October 2025.
How Bad Is It? Real Reports from Affected Users
The scale of this attack is staggering. On Reddit, users have been reporting receiving hundreds of spam emails per hour from various Zendesk instances. One user reported getting over 500 emails in just 4 hours. Another counted their spam emails increasing by the minute: "22... 23... 24... 26... 27... 28..." as they watched helplessly.
As one frustrated user put it: "I've got MULTIPLE support tickets from websites I've never heard of and have never used arriving in my inbox."
The problem? As individuals receiving this spam, you can't easily block or filter out the emails because every Zendesk instance has different auto-reply emails, without much commonality. Companies have ways to limit their spam intake – but the individuals being spammed do not.
List of Known Compromised Zendesk Accounts
Reddit user pepppppy has been tracking affected organizations. Here's a partial list of companies whose Zendesk instances have been exploited to send unsolicited emails:
| Company | Company | Company |
|---|---|---|
| Dropbox | CD Baby | Capcom |
| Datadog | Discord | ElevenLabs |
| Lime CX | Roll20 | 2K Games |
| tonies | Thistle | Headspace |
| LEAFWORKS | Happiness | mba.com |
| PrivacyWall | CleverReach | INTUA |
| POIEMA | Bang & Olufsen | Ride With GPS |
| Box | Live Nation Taiwan | US Gov Teacher Certification |
According to pepppppy, this is just "a random sampling of larger organisations. There's well over 100 others also compromised." With over 1,500 spam emails arriving in a single day, the attack is ongoing and widespread.
Why Is This Happening Now?
This problem has actually been brewing for a while. In early 2024, a 15-year-old security researcher named Daniel discovered a critical vulnerability in Zendesk's email handling (later assigned CVE-2024-49193). His findings revealed that Zendesk had essentially zero protection against email spoofing in their email collaboration feature.
The exploit was surprisingly simple:
When you email a company's Zendesk support (like support@company.com), Zendesk creates a ticket and generates a reply-to address like support+id123@company.com. If you CC someone on a reply to that ticket, Zendesk automatically adds them to the ticket, giving them access to the entire conversation history.
Attackers could exploit this by spoofing the original sender's email address and CC'ing themselves onto any ticket they wanted to access. All they needed was the support email address and the ticket ID (which are often sequential and easy to guess).
The Slack Takeover: How This Got Really Serious
The vulnerability went from "concerning" to "critical" when researchers figured out how to chain it with other services. Many companies use the same domain for Zendesk AND their Single Sign-On (SSO) systems like Slack.
Here's what attackers could do:
1. Create an Apple ID with support@company.com as the email
2. Apple sends a verification code to that address
3. The verification email lands in Zendesk as a ticket
4. Attacker uses the email spoofing bug to add themselves to the ticket
5. Attacker gets the verification code and verifies their Apple account
6. Attacker uses "Sign in with Apple" on Slack
7. Attacker gains access to the company's private Slack workspace
This affected over half of Fortune 500 companies who were using vulnerable Zendesk configurations. The researcher earned over $50,000 in bug bounties from individual companies, though Zendesk itself refused to pay anything.
Is This a Zendesk Vulnerability or a Configuration Issue?
Zendesk's official position is that this isn't a vulnerability – it's a "potential side effect when Zendesk is set to allow unverified users to submit requests."
Technically, they're half right. The relay spam problem exists because many Zendesk instances are configured to:
• Allow anonymous ticket submission (anyone can create a ticket)
• Not validate the email address of the submitter
• Automatically send confirmation emails that include user-submitted content
These settings exist for legitimate business reasons – not every company wants to make customers jump through hoops to get support. But the defaults make it trivially easy for bad actors to abuse.
The earlier email spoofing vulnerability (CVE-2024-49193) was a genuine Zendesk bug that got patched in July 2024. But the relay spam issue? That's a configuration problem that Zendesk admins need to fix themselves.
How to Fix Zendesk Spam: Step-by-Step Guide
Here's exactly what you need to do to protect your Zendesk instance:
Fix #1: Remove Dangerous Placeholders from Your First-Reply Trigger
This is the most critical fix. Zendesk's auto-responder triggers often include placeholders like {{ticket.title}} or {{ticket.description}} in the confirmation email. Attackers can insert their spam content in the ticket subject or body, and Zendesk will helpfully include it in the email sent to the victim.
To fix this:
1. Go to Admin Center > Business rules > Triggers
2. Find your "Notify requester of received request" trigger (or similar first-reply triggers)
3. Remove or modify placeholders that include user-submitted content like {{ticket.title}} and {{ticket.description}}
4. Replace with static text that confirms the ticket was received without echoing back user content
Fix #2: Permit Only Verified Users to Submit Tickets
This is the nuclear option that completely solves the problem, but it does add friction for legitimate customers.
1. Go to Admin Center > People > Configuration > End users
2. Enable "Anybody can submit tickets" but also enable "Require email verification"
3. Alternatively, select "Only users I add can submit tickets" for maximum security
If you can't require verification for business reasons, consider implementing CAPTCHA or other anti-bot measures on your ticket submission forms.
Fix #3: Implement Email Domain Restrictions
If your support is only for customers with known email domains:
1. Go to Admin Center > People > Configuration > End users
2. Use the "Allowed email domains" setting to restrict who can submit tickets
3. This prevents attackers from using random victim email addresses
Fix #4: Set Up Spam Filters and Suspended Tickets Review
Zendesk has built-in spam detection that you should review:
1. Go to Admin Center > Views > Suspended tickets
2. Regularly review suspended tickets to catch spam patterns
3. Use trigger conditions to automatically suspend tickets from suspicious sources
Fix #5: If You're Getting Spam Emails (Not Sending Them) – The Gmail Workaround
If your personal email is being bombarded with Zendesk spam from various companies, there's a workaround. This solution was created by pepppppy on Reddit and shared via GitHub Gist.
Important caveat: This won't stop the spam at the source, but it will automatically filter Zendesk emails out of your inbox. However, be aware that this will also catch legitimate Zendesk emails from companies you actually do business with, so use with caution.
What this solution does: It creates a script that runs automatically every hour, checks your emails for the Zendesk email header, and labels them so you can filter or delete them.
Step 1: Open Google Apps Script
1. Open your web browser and go to script.google.com
2. Sign in with the same Google account that's receiving the spam emails
3. Click the "New project" button in the top left corner
4. You'll see a code editor with some default text. Delete everything in there.
Step 2: Create the "zendesk" Label in Gmail
Before the script will work, you need to create a label in Gmail:
1. Open Gmail in a new tab
2. On the left sidebar, scroll down and click "More"
3. Click "Create new label"
4. Type zendesk (all lowercase) and click "Create"
5. You can close the Gmail tab now
Step 3: Copy and Paste the Script
Go back to your Google Apps Script tab and paste this entire code block:
function handleZendeskSpam() {
const label = GmailApp.getUserLabelByName("zendesk");
const threads = GmailApp.search('-label:zendesk newer_than:1d');
const matches = [];
threads.forEach(t => {
if (/X-Mailer:.*zendesk/i.test(t.getMessages()[0].getRawContent())) {
matches.push(t);
}
});
if (matches.length) {
label.addToThreads(matches);
// GmailApp.moveThreadsToArchive(matches);
// GmailApp.moveThreadsToTrash(matches);
}
}
What this code does (in plain English):
• It looks at all your emails from the last day that don't already have the "zendesk" label
• It checks each email's hidden headers for "X-Mailer: Zendesk" (this is how Zendesk marks its emails)
• Any email that matches gets the "zendesk" label added to it
Step 4: Save the Project
1. Click the floppy disk icon (💾) at the top, or press Ctrl+S (Cmd+S on Mac)
2. Give your project a name when prompted, like "Zendesk Spam Filter"
3. Click "OK"
Step 5: Test the Script
Let's make sure it works before setting it to run automatically:
1. Click the "Run" button (the play icon ▶️) at the top
2. Google will ask you to authorize the script. Click "Review permissions"
3. Choose your Google account
4. You'll see a warning that says "Google hasn't verified this app" – this is normal for personal scripts
5. Click "Advanced" then "Go to Zendesk Spam Filter (unsafe)"
6. Click "Allow" to let the script access your Gmail
7. The script will run. Check your Gmail – any Zendesk emails from the last day should now have the "zendesk" label
Step 6: Set Up Automatic Running (Trigger)
Now let's make it run automatically every hour:
1. In the left sidebar of your script project, click the clock icon (labeled "Triggers")
2. Click "+ Add Trigger" in the bottom right
3. Configure the trigger with these settings:
• Choose which function to run: handleZendeskSpam
• Choose which deployment should run: Head
• Select event source: Time-driven
• Select type of time based trigger: Hour timer
• Select hour interval: Every hour
4. Click "Save"
Step 7: Create a Gmail Filter to Handle Labeled Emails
Now that Zendesk emails are being labeled, you can decide what to do with them:
1. Open Gmail
2. In the search bar, type: label:zendesk
3. Click the Show search options button (the three lines with dots on the right side of the search bar)
4. Click "Create filter"
5. Choose what you want to do with these emails:
• Skip the Inbox (Archive it) – Emails go straight to the "zendesk" label, bypassing your inbox
• Delete it – Automatically trash all Zendesk emails (be careful with this one!)
• Mark as read – Keep them but don't show as unread
6. Click "Create filter"
Optional: Automatically Delete or Archive (Advanced)
If you want the script itself to automatically archive or delete the emails (instead of just labeling them), you can modify the code:
To automatically archive: Remove the two forward slashes (//) from the line that says:
// GmailApp.moveThreadsToArchive(matches);
So it becomes:
GmailApp.moveThreadsToArchive(matches);
To automatically delete: Remove the two forward slashes (//) from the line that says:
// GmailApp.moveThreadsToTrash(matches);
So it becomes:
GmailApp.moveThreadsToTrash(matches);
Warning: Be careful with auto-delete! This will trash ALL Zendesk emails, including legitimate support tickets from companies you actually use.
Limitation to Be Aware Of
This script runs on a schedule (every hour), not in real-time. This means you'll still receive notifications for Zendesk spam as it arrives – the script will clean them up on the next hourly run. To disable notifications, you may need to temporarily mute email notifications on your phone during heavy spam attacks.
What Zendesk Is Doing About It
After significant pressure from the security community and affected companies, Zendesk has implemented several measures:
• Enhanced spam filters using RSPAMD scoring
• Automatic suspension of verification emails from Apple and Google
• Improved rate limiting on ticket creation
• Published official guidance for preventing relay spam
Zendesk's community team has also acknowledged the issue on Reddit, stating: "Our security team is investigating right now. To make sure we track who's affected and handle this properly, please open a support ticket with our Support team so they can log the accounts, assess the scope, and follow up with you privately."
However, Zendesk maintains that the core configuration options (anonymous submission, no email validation) are intentional features, not bugs. It's up to individual admins to secure their instances.
The Bigger Picture: Why This Matters for Your Security
This Zendesk situation highlights a broader problem: third-party tools like Zendesk, Slack, and others are deeply integrated into company infrastructure, often on the same domains used for SSO and internal authentication.
The researcher who discovered the original vulnerability made an important observation: "Many companies use their @company.com domain for Single Sign-On, which lets employees quickly log in to internal tools. By connecting Zendesk to the same domain, companies unknowingly create a potential security gap."
If you're using Zendesk on your primary company domain:
• Audit what other services use that domain for authentication
• Consider using a subdomain like support.company.com instead
• Review your SSO configurations for services that might trust Zendesk-related email verification
• Implement strict email verification wherever possible
Quick Checklist: Is Your Zendesk Secure?
Run through this checklist today:
☐ First-reply triggers don't include user-submitted content in emails
☐ Email verification is required for ticket submitters (or you have another validation method)
☐ You're not using your primary SSO domain for Zendesk (consider a subdomain)
☐ Spam filters and suspended ticket review are active
☐ Your email collaboration settings are reviewed and secured
☐ You have rate limiting or CAPTCHA on your public ticket forms
Final Thoughts
The Zendesk spam issue is a perfect example of how default configurations can create serious security problems. It's not that Zendesk is inherently insecure – it's that the out-of-the-box settings prioritize ease of use over security.
As a Zendesk admin, it's your responsibility to secure your instance. Take 30 minutes today to implement the fixes above, and you'll protect both your customers and your company's reputation from being used as a spam relay.
And if you're still getting spam emails from random companies' Zendesk instances, well... forward this article to them. They need it.
About Macha AI
Macha AI builds purpose-built AI apps for Zendesk — including Copilot, Auto Reply, and Translations — designed to help agents work faster and smarter. And this is just the beginning. Many more apps are on the way. Learn more → getmacha.com