CAPTCHA solutions allow a web page to require users to pass some test before they can access the functionality of the page, with the idea that humans will be better able to pass these tests than bots. If you’ve ever been asked to click on photos that contained motorcycles or traffic lights when you tried to log in to a site, then you’ve encountered a CAPTCHA.

By making it difficult for bots to access the pages, securing a site via CAPTCHA makes it less attractive as a target for bot-based attacks and decreases the chance that such attacks will be effective. 

Starting with 17.5, LISTSERV has built-in support for several CAPTCHA-type solutions, which can be used to secure access to the public login, new password request and subscription functions. While older LISTSERV versions had limited support for CAPTCHA, this could not be used to secure LISTSERV against bot-based subscription requests that bypass the web interface altogether and make calls directly to WA. This has been changed in LISTSERV 17.5, and now, if this feature is enabled, all login, new password and subscription requests must be validated using CAPTCHA, making it much more difficult for bot-based requests to get through.        

Prerequisites:

IMPORTANT: For UNIX, LISTSERV depends on a captcha.php file in the archives/captcha directory.  The captcha.php file REQUIRES PHP version 8 at minimum.  It will CRASH on earlier versions (e.g., PHP 7).  Please ensure that you have a new enough version of PHP installed on your server if you wish to use the CAPTCHA feature.

If you want to use the PHP script, make sure that PHP 8 or later is installed and enabled. And if you’re using HTTPS, make sure that extension=openssl is uncommented in the php.ini file.

IMPORTANT: For WINDOWS, LISTSERV depends on a captcha.aspx file in the archives/captcha directory.  The captcha.aspx file REQUIRES Microsoft ASP.NET to be installed on the machine running LISTSERV. Please ensure that you have ASP.NET installed on your server if you wish to use the CAPTCHA feature.

If ASP.NET is absent, IIS will report a “405 – HTTP verb used to access this page is not allowed”.

Install ASP.NET by going to Control Panel -> Programs -> Turn Windows features on or off -> Internet Information Services -> World Wide Web Services -> Application Development Features. Then check the boxes for ASP.NET 4.8, .NET Extensibility 4.8, ISAPI Extensions and ISAPI Filters. 

CAPTCHA Solutions Supported


At present, LISTSERV can integrate with three of the most popular CAPTCHA solutions: reCAPTCHA, hCaptcha and Cloudflare Turnstile.  For example, these are sites that have been secured using the Cloudflare Turnstile service and the reCAPTCHA service:



Most of the relevant settings can be found under Server Administration/Site Configuration under the Web Interface tab.

To set up a CAPTCHA solution for your LISTSERV site, follow these steps:

Step 1: Configure a CAPTCHA badge

Step 2: Sign up for the CAPTCHA service of your choice and add the unique site key to LISTSERV's configuration

Step 3: Configure the CAPTCHA script found in the web interface files with the "secret" key provided by your CAPTCHA service

Step 4: Enable CAPTCHA by setting the WWW_CAPTCHA_VENDOR site level configuration variable.