Spamhaus offers a Border Gateway Protocol (BGP) feed of three of its lists, the Botnet C&C list, the DROP list, and the extended DROP list (EDROP). These lists are intended to be loaded into routers and used to block packets originating from IPs involved in certain types of malicious activity. Following is further information about the three lists on the BGPf.

Spamhaus DROP list as well as Spamhaus extended DROP list (EDROP) are available for free in text format. A BGP feed of these two lists is available for an annual fee. For detailed pricing please request an offer from one of our Data feed providers.

You can find the Spamhaus DROP listing policy here.

You can find the Spamhaus EDROP listing policy here.

Spamhaus Botnet C&C List (BGPCC)

The Spamhaus Botnet Command and Control (C&C) list is an advisory "drop all traffic" list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes so that the malware on the bots can transfer stolen data to the C&C node for delivery to the botnet's owner, and to obtain instructions for what they are to do next. Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

Listing criteria
An IP address is listed on the Botnet C&C list when it meets the following criteria:

• The server hosted at this IP address is used to control computers that are infected with malware.
• The server hosted at this IP address is operated with this intent (In other words, the server is operated by cybercriminals).

Spamhaus Definition of Malware
Malware is any software that is installed on a computer without the knowledge or consent of the owner of that computer for any of the following purposes:

• To steal information such as user logins and passwords, cryptographic keys, or sensitive personal data from the victim.
• To use the computer to send spam, host web sites, host name servers, attack other hosts on the internet, or otherwise interfere with the legitimate use of the internet and other hosts on the internet.
• To use the computer to relay internet traffic or data to accomplish either of these tasks.

Computers that are infected with this sort of malware usually participate in botnets, ad-hoc networks that are used by cybercriminals for the purposes described above.

Purpose of this List
When installed in a router's DENY table, the Botnet C&C list prevents any communication between that router and the IPs on the list. If installed on all routers for a network, this in turn blocks communication between botnet controllers and any bots on that network. The botnet owner are unable to contact any bots on the network, and therefore cannot receive stolen information or give those bots instructions. In other words, the Botnet C&C list prevents loss of sensitive information that can be used in identity theft, and use of the bots on that network to spam or commit crimes.

Spamhaus strongly recommends that Tier-1 and backbone internet providers install the Botnet C&C list on their networks.

For further information and implementation of Spamhaus BGPf please have a look at the BGPf FAQ page