As we are constantly looking to expand the breadth of reputational data available via the Spamhaus intelligence API (SIA), we are delighted to announce that you can now access the extended Botnet Controller List (eBCL).

Don’t know what SIA is?

Until recently, our limited access methods restricted how organizations could use our IP and domain reputation data. Our engineers have developed an API that makes it easy to integrate Spamhaus’ intelligence into your existing systems to address this situation.

SIA doesn’t just return a basic binary response as to whether a resource is listed or not; it is enriched with additional metadata providing deeper insights to help speed up investigations and accelerate reporting.

What is the extended Botnet Controller List (eBCL)?

This dataset contains single IPv4 addresses used by miscreants to control infected devices, otherwise known as Botnet Command and Controllers, C&Cs, or C2s.

At its heart, the eBCL is a “drop all traffic” list detailing the worst of the worse. By this, we mean that a network should not try to connect to these IP addresses under any circumstances, nor should it accept inbound traffic from them.

It will come as no surprise that given its specific focus, the eBCL is much smaller in size than that of the extended eXploits Blocklists:

  • eBCL total entries – 2K (approx.)
  • eBCL new entries per 24 hours – 25-50

The eBCL contains the following metadata for each listing, where available: ipaddress, botname, seen, firstseen, listed, valid-until, dstport, asn, lat, lon, cc, protocol, urls, domains, samples. See our technical documentation for a detailed explanation of these.

How can the eBCL be used?

Different organizations will have different use cases for this data. However, here are some ideas our team has come up with on how this data may assist.

Vetting and monitoring IP space
There are numerous situations where it is necessary to monitor or vet IP space:

  • Where new IP space is purchased, this API can check if this space hosts Botnet C&Cs.
  • If new hosted solutions are being considered, the range can be checked to ensure Botnet C&Cs are not operating in the neighborhood.
  • Aid investigations for network operators – if customers have botnet controllers in their IP space, are they 1. Legitimate or 2. Are their systems compromised, and remediation is required across their entire IP space?


Where it’s not possible to install the BCL on a router table, you can use the eBCL via SIA to query against incoming and outgoing traffic to block connections to listed Botnet C&Cs.

How do you access the eBCL?

You can sign up here if you’d like to trial this data via SIA. Alternatively, for those who would like an opportunity to experiment with our data over an extended period, sign up for our free Developer License, which gives six months of access to these datasets without any charge.


Related Products

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Proactively manage your IPs reputation and help influence our portal’s future

17 March 2022


We’re offering an exclusive opportunity to help shape Spamhaus’ newly released Reputation Portal.

A new dataset is available via the Spamhaus Intelligence API

30 June 2021


Spamhaus has released the extended CSS Blocklist (CSS) and made it available via our API service. This provides users with additional insights relating to compromised and malicious IP addresses.

Welcome to the Spamhaus Developer License

23 March 2021


We're aware that it can take time to find the right use case and build the right application to meet its needs. So, we've created a license to give developers access to the data without the 30-day time limit attached to a trial. The developer license runs for six-month periods.