Step 1: You can configure a secret LISTSERV Captcha Badge to use by itself, or with other CAPTCHA solutions. This is done at the site level (either in SITE.CFG or via the web interface) using the WWW_CAPTCHA_BADGE setting.

If defined, the login, new password and subscription screens will not accept any requests without this badge or key. This prevents bots from bypassing any CAPTCHA challenge since they will not know what the secret badge is.

This secret badge can also be used without a CAPTCHA solution but will be less effective as the badge won’t be protected by CAPTCHA and the bots could, in theory, be able to retrieve it from the source code of the web page.

The secret badge can be any alphanumeric combination of letters and numbers. It cannot contain spaces or other special characters. For maximum security, we recommend using a randomly generated string. It will not be necessary for any administrators, list owners or users to type in the code manually.  For example, let us assume you choose a badge code of "3A444B6".  If configuring this via the web interface, you would find the WWW_CAPTCHA_BADGE setting under Server Administration/Site Configuration/Web Interface. Type the value 3A444B6 (or your preferred badge) into the text box, then click the Update button at the bottom of the page.

If preferred, the value can also be configured manually via the site-level configuration files.

For Windows (site.cfg):

WWW_CAPTCHA_BADGE=3A444B6


For unix (go.user):

WWW_CAPTCHA_BADGE="3A444B6"

export WWW_CAPTCHA_BADGE


Note that, as always, setting the value manually in either site.cfg or go.user requires the LISTSERV server to be restarted for the change to be recognized.

Whether or not you decide to use a formal CAPTCHA service, this CAPTCHA badge also must be entered into the captcha.keys file -- see Step 3.