We've seen widespread issues with spammers using Zendesk instances as a relay. This is something I've fixed at various businesses over the last few years. The primary problem is using placeholders such as
{{ticket.title}}Firstly, take any freetyped placeholders out of your ticket creation autoresponses. Nothing manually entered on the form should be bounced back to the user. You have additional options, like setting different notification triggers for different channels (this is often a good idea!) and then only use those placeholders for freetyped items when tickets are created via authenticated routes.
Lastly, if you've been a victim, please hop into Explore and you should be able to see where the spam relay issue started. The spammers will always test first on a few addresses they control, so that they can be sure of how your form and notifications work. Find their test tickets and pop those details over to your Zendesk contact. Zendesk should be able to verify that your instance is correctly updated to protect from these issues and also then to fingerprint the culprits.
If you're worried about any of this, please feel free to give us a shout and we will do these checks pro bono. You can also use Beacon to audit your Zendesk configuration. Contact me via Linkedin or email and put your mind at ease.