As we are constantly looking to expand the breadth of reputational data available via the Spamhaus intelligence API (SIA), we are delighted to announce that you can now access the extended Botnet Controller List (eBCL).

Don’t know what SIA is?

Until recently, our limited access methods restricted how organizations could use our IP and domain reputation data. Our engineers have developed an API that makes it easy to integrate Spamhaus’ intelligence into your existing systems to address this situation.

SIA doesn’t just return a basic binary response as to whether a resource is listed or not; it is enriched with additional metadata providing deeper insights to help speed up investigations and accelerate reporting.

What is the extended Botnet Controller List (eBCL)?

This dataset contains single IPv4 addresses used by miscreants to control infected devices, otherwise known as Botnet Command and Controllers, C&Cs, or C2s.

At its heart, the eBCL is a “drop all traffic” list detailing the worst of the worse. By this, we mean that a network should not try to connect to these IP addresses under any circumstances, nor should it accept inbound traffic from them.

It will come as no surprise that given its specific focus, the eBCL is much smaller in size than that of the extended eXploits Blocklists:

  • eBCL total entries – 300 – 2,000 (approx.)
  • eBCL new entries per 24 hours – 25-50

The eBCL contains the following metadata for each listing, where available: ipaddress, botname, seen, firstseen, listed, valid-until, dstport, asn, lat, lon, cc, protocol, urls, domains, samples. See our technical documentation for a detailed explanation of these.

How can the eBCL be used?

Different organizations will have different use cases for this data. However, here are some ideas our team has come up with on how this data may assist.

Vetting and monitoring IP space
There are numerous situations where it is necessary to monitor or vet IP space:

  • Where new IP space is purchased, this API can check if this space hosts Botnet C&Cs.
  • If new hosted solutions are being considered, the range can be checked to ensure Botnet C&Cs are not operating in the neighborhood.
  • Aid investigations for network operators – if customers have botnet controllers in their IP space, are they 1. Legitimate or 2. Are their systems compromised, and remediation is required across their entire IP space?


Where it’s not possible to install the BCL on a router table, you can use the eBCL via SIA to query against incoming and outgoing traffic to block connections to listed Botnet C&Cs.

How do you access the eBCL?

You can sign up here if you’d like to trial this data via SIA. Alternatively, for those who would like an opportunity to experiment with our data over an extended period, sign up for our free Developer License, which gives six months of access to these datasets without any charge.


Related Products

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Increased performance and search capabilities for users of IP reputation data via API

28 October 2022

Blog News

Commercial or developer subscribers to any IP datasets via Spamhaus Intelligence API (SIA) will experience improved performance and search capabilities for this service.

New beta release | Rich domain reputation data via API – register now

14 September 2022

Blog News

Discover the rich domain-related data points available via this easy-to-consume API and how you can become one of only 30 beta testers.

New Report | Monthly Malware Digest, Aug 2022

7 September 2022


Spamhaus & have joined forces to create this Monthly Malware Digest. Using data from's platforms, the report gives an overview of malware campaigns, with insights into malware distribution sites, samples, IOCs & YARA rules.