The Spamhaus Botnet Controller List ("BCL") is a specialized subset of the Spamhaus Block List (SBL), an advisory "drop all traffic" list consisting of single IPv4 addresses, used by cybercriminals to control infected computers (bots). BCL does not contain any subnets or CIDR prefixes larger than /32.

What is a botnet? And what are bots?

• Botnet Command & Control (C&C) nodes are servers that control individual malware-infected computers (bots) that together form a botnet.
• Bots regularly contact botnet C&C nodes in order to transfer stolen data to the botnet master / botnet herder as well as to obtain instructions / tasks for what the infected computer (bot) should do next.
• Once a botnet contacts a botnet C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.
• BCL lists IP addresses used by such C&C nodes and provide its users the possibility to block bad traffic from and to C&C nodes on the internet.

For Small- and Home Office users (SOHO), the usage of BCL is subject to a nominal annual fee. You can subscribe to Spamhaus BCL through the Spamhaus Technology website.

Listing Criteria
An IP address is listed on the Spamhaus Botnet Controller List (BCL) when it meets the following criteria:

• The server hosted at the IP address is used to control computers that are infected with malware.
• The server hosted at the IP address is operated with malicious intent (In other words, the server is operated by cybercriminals for the exclusive purpose of hosting a botnet C&C server).

Spamhaus Definition of Malware
Malware is any software that is installed on a computer, without the knowledge or consent of the owner of that computer, for any of the following purposes:

• To steal information such as user logins and passwords, cryptographic keys, or sensitive personal data from the victim.
• To use the computer to send spam, host web sites, host name servers, attack other hosts on the internet, or otherwise interfere with the legitimate use of the internet and other hosts on the internet.
• To use the computer to relay internet traffic or data to accomplish either of these tasks.

Computers that are infected with this sort of malware usually unknowingly participate in botnets, ad-hoc networks that are used by cybercriminals for the purposes described above.

Purpose of this List
When installed in a router's DENY table, the Botnet Controller List (BCL) prevents any communication between that router and the IPs on the list. If installed on all routers for a network, this in turn blocks communication between botnet controllers and any bots on that network. The result is that botnet operators are unable to contact any bots on that network and therefore cannot receive stolen information, or give those bots instructions. By this, BCL prevents loss of sensitive information that can be used in identity theft, and use of the bots on that network to spam or commit crimes.

Delivery mechanisms
The Spamhaus Botnet Controller List (BCL) can be obtained using different delivery mechanisms provided by Spamhaus, such as via BGP feed (BGPf), rsync or as a ruleset for Open Source IDS/IPS such as Snort and Suricata. Futher information about the available delivery mechanisms can be obtained from our Data feed provider.

Case Studies
The Spamhaus Botnet Controller List (BCL) has already proved its effectiveness on production networks. A case study about the implementation of BCL in a production environment using the Spamhaus BGP feed (BGPf) can be found here:

• Spamhaus BGPf Case Study at Schibsted IT (PDF - 256KB)

In 2013, Spamhaus published a blog post regarding the effectiveness of BCL, and about Spamhaus BGP feed (BGPf) as delivery mechanism. The blog post provides some interesting insights about the data published on BCL and can be viewed here:

• Celebrating The First Birthday Of The Spamhaus BGPf (blog post)