The Spamhaus Project

Botnet Controller List (BCL)

About the Data

The Spamhaus Botnet Controller List (BCL) is a specialized, advisory "drop all traffic" list. It consists of IP addresses that are actively used by cybercriminals to control malware-infected computers (bots). This is a high-confidence list, with false positives being extremely rare, to block as much high-risk, malicious traffic as possible.

Policy statement

The BCL exclusively lists active botnet command and control (C&C) servers, operated by cybercriminals for the sole purpose of managing and controlling bots. It does not list individual bot IPs; these datapoints are provided in the Exploits Blocklist (XBL) dataset.

Listing only single IPv4 addresses, the BCL does not contain any subnets or CIDR prefixes larger than /32.

Benefits of this data

Providing perimeter protection against the worst of the worst connections, this dataset usually contains between 500 and 2000 listings, with up to 50 new entries every 24 hours. The BCL dataset will prevent infected computers within your network from communicating with external botnet C&C server(s), and receiving instructions and malware updates.

No inbound or outbound network connections should be made to these IP addresses under any circumstances. For this reason, BCL is most commonly consumed as a BGP feed coming to your edge routers or firewalls as discussed below, however other formats are also available.

How it works

When installed in a router's DENY table, the BCL will prevent any communication between that router and the IPs on the list. If installed on all routers for a network, all communications between botnet controllers and any bots on that network are blocked. The same applies for firewalls like Cisco and Fortinet.

The result is botnet operators are unable to contact any bots on that network, and therefore cannot receive stolen information, or give those bots instructions. By this, BCL prevents loss of sensitive information that can be used in identity theft or for encryption as part of a ransomware attack. It also means bots on that network are prevented from performing outbound tasks that may be linked to criminal activity or spamming.

Accessing this data

For more commercially-focused solutions, this data, also including botnet C&Cs hosted on compromised systems, can be accessed via our partner Spamhaus Technology in several formats:

  • As a plain text file, via DNS lookups (limited to dedicated C&Cs).
  • Via BGP Firewall feeds - for use with routers and firewalls.
  • As Response Policy Zones with DNS Firewall - for use with mainstream DNS resolvers.
  • And through an API returning extended information about the nature of each listing - for organizations working in the security arena.


If your IP is listed on the Botnet Controller List, you should visit: This will take you to our IP and Domain Reputation Checker for more information, and the only place where BCL removals are handled.


Other Blocklists Available From Spamhaus


Combined Spam Sources

Learn more


Domain Blocklist

Learn more


Exploits Blocklist

Learn more


Policy Blocklist

Learn more


Spamhaus Blocklist

Learn more


PBL, SBL & XBL combines

Learn more