Frequently Asked Questions relating to Spamhaus data

What is the Spamhaus Botnet Controller List (BCL)?

• It is an advisory “drop all traffic” list consisting of single IPv4 addresses that are used by cybercriminals to control infected computers (bots).
• BCL does not contain any subnets or CIDR prefixes larger than /32.
• BCL listings are made according to policies outlined in BCL Listing Criteria.

What is the purpose of BCL?

The main purpose of BCL is to block malicious traffic at the network edge.

• BCL can be used in several different types of devices, from firewalls to intrusion detection systems (IDS/IPS) and many other security appliances.
• BCL can also be used passively – for example, by checking the log files of web proxies, firewalls or any other security devices to detect botnet-generated traffic in your network.

BCL is available in different formats, such as a rule file for various Intrusion Detection Systems (IDS)/ Intrusion Prevention Systems (IPS). It is also available in a plain-text file, in CSV, as a Response Policy Zone (RPZ) and via the Spamhaus BGP Feed (BGPf).

Specific instructions for implementation will depend on what use case you have; such questions should be referred to the device documentation or vendor.

Is there a difference between the BCL and the BGPf?

The Spamhaus BGP feed (BGPf) is just a different delivery method for the BCL.

The Botnet Controller List (BCL) is updated in real time.

To find out more information regarding access to the BCL please complete the contact form on Spamhaus Technology’s website.

The BCL’s primary objective is to avoid ‘false positives’ while blocking as much malicious traffic as possible.

• BCL false positives are extremely rare.
• Since BCL is a subset of SBL, every BCL listing is based on an investigation by one of the Spamhaus SBL team members.
• BCL does not contain any automated listings: all listings on BCL have been issued and reviewed by a human.