Man monitoring servers

Botnet Controller List (BCL)

The Spamhaus Botnet Controller List (BCL) is a specialised subset of the Spamhaus Block List (SBL) which contains single IP addresses of botnet command and control (C&C)servers.

Disrupting botnet communications

Botnet operators use huge networks of malware-infected computers to distribute spam and ransomware; steal data; conduct phishing campaigns; and launch DDoS attacks. BCL is designed to block all such malicious IP traffic at the network edge. When installed on edge routers, BCL prevents malicious traffic from entering or leaving your network.

Protecting against data loss

After installing BCL in your router’s DENY table, all communication from and to C&C servers is blocked. This prevents infected computers within your network from receiving instructions and malware updates. BCL also prevents sensitive data from being sent from botnet nodes to C&C servers. Disrupting communication with the C&C servers neutralises botnet nodes within your network and stops data egress, even though the devices are still infected with botnet malware.

Identifying infected devices within your network

When used in conjunction with intrusion prevention servers (IPS) and intrusion detection servers (IDS) such as Snort and Suricata, BCL identifies IP addresses of infected devices that are trying to contact botnet C&Cs and blocks traffic to and from these devices.

Response Policy Zones

When installed on a DNS server, Spamhaus BCL acts as a response policy zone (RPZ), also known as a DNS firewall, and supports special handling of hosts that resolve to IP addresses listed in BCL.

Compiled by a global security team

IP addresses included within the BCL have been manually researched by a team of Spamhaus security experts. The Spamhaus BCL is maintained as a zero false positive list. The IP addresses listed have been carefully researched and observed to be solely used for malicious activity and sending no legitimate email traffic. All listed IP addresses are linked to an SBL listing, with information on the observations that led to each individual IP being listed.

How to benefit from Spamhaus Technology BCL

  • Spamhaus Technology Border Gateway Protocol feed (BGPf) contains BCL as well as the Do Not Route or Peer (DROP) and extended DROP (eDROP) lists.
  • Spamhaus Technology provides BCL as an RPZ/DNS firewall for download to your DNS server
  • Download the Spamhaus BCL ruleset and install this on your IDS/IPS. Spamhaus Technology supplies the ruleset for Snort, Suricata and other IDS/IPS using Snort format.

Click to arrange your 30 day trial

Discover why we’re the most trusted Mailfilter and Security solution with a 30 day free trial

Our customers

Many of the world’s largest internet service providers rely on Spamhaus threat intelligence to block harmful email traffic and protect their customers.

AOL Logo
Microsoft Logo
AT&T Logo
Comcast Logo
COX Logo
1∧1 Logo
Century Link Logo
 Mail RU Logo
Time Warner Cable Logo
Sonic Net Logo

With over 12 years experience, we are trusted experts

Get in touch

Latest News

Brian Krebs | Bitcanal - "Hijack Factory" Shunned from Web

Brian Krebs covers the Bitcanal "Hijack Factory" story which hit the news this week. In the article Krebs highlights that virtually all of Bitcanal's IP address ranges had been listed by Spamhaus.

Read more

Doug Madory | Shutting down the BGP Hijack Factory - Bitcanal

This week sees Spamhaus featuring in the news again. Bitcanal, a notorious bad actor, who has continually hijacked Border Gateway Protocol (BGP) routes, has effectively been kicked off the internet. Doug Madory, Director of Internet Analysis at Oracle Dyn, takes an in-depth look at the story: Shutting down the BGP Hijack Factory.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.