About a month ago the Spamhaus Project added several new lists to its Top-10 Worst pages. These are in addition to our existing Top-10 lists: Worst spammers, spammer hosting nations and spammer hosting Internet Service Providers (ISPs).

Every second of every hour of every day Spamhaus collects a vast quantity of real-time threat intelligence from around the globe. We analyze and use this data to produce the data sets that protect billions of users from spam and other attack threats. To better show where the largest numbers of botnet-related threats of all types are located, we have added the following three lists:

  • The World’s Worst Botnet Countries. Countries in this list have the highest number of detected spam-bots as listed in the Spamhaus XBL zone. Most bots are used for spam, phishing, click-fraud, DDoS and other malicious activities
  • The World’s Worst Botnet ISPs. Internet Service Providers in this list have the highest number of detected spam-bots as listed in the Spamhaus XBL zone
  • The World’s Worst Botnet ASNs. Autonomous System Numbers (ASNs) in this chart have the highest number of detected spam-bots as listed in the Spamhaus XBL

The size of the problem

Many issues may contribute to to a country’s bot density, including technical, policy and socioeconomic factors. Currently, fifty percent of the countries with the worst botnet infestations are in Asia, where good anti-virus software is less available and ISP best practices such as outbound port-25 management (.pdf) or filtering has not yet been widely implemented. Vietnam, India and China lead the way each with over 1,000,000 systems detected running spam-bots. The sheer numbers of botnet-infected personal computers in these countries is staggering. What can be more staggering is when one computes the per-capita infection rates

It always surprises and somewhat saddened us to still see western nations in the worst list. This time we see the USA in at #8 and Italy at #10 with around a quarter of a million IP addresses identified.

Ever growing numbers in Russia

In fourth place is a nation that straddles Asia and Europe: Russia. With almost 600,000 compromised computers running malware.

It holds a unique position in botnet issues. Five to ten years ago, when big botnets first appeared, the predominantly Russian based cybercriminals that operated them attacked other countries but left their own nation’s citizens alone. This changed some time ago; now managing botnets is all about the money to be made from cybercrime. The criminals who run botnets in Russia have seen that, as in other nations, there is nearly no enforcement of laws against cybercrime, so they attack everybody without regard for where they live.

Some Russian citizens (who presumably were not well informed about botnets) even hailed Russian “GameOver Zeus” botmaster Evgeniy Mikhailovich Bogachev (for whom the US FBI has offered a $3-million reward-for-capture) as a sort of a hero for “liberating” money from Europeans and N.Americans. He was no hero. Our data showed that the “GameOver Zeus” malware had infected tens of thousands of Russian citizens’ computers, whose hard-earned money was stolen by these same cybercriminals.

Service providers & networks

The majority of ISPs with the worst botnet problems are also in Asia. The reasons why are much the same as outlined above. These companies allow a large number of malware-infected computers belonging to their users to remain infected, remain connected to their network, and attack other networks and computers. As this article is being written, one Vietnamese ISP has over a million infected computers. We hope that these ISPs, seeing their names on this list, might make changes in their policies and practices so that they do not continue to contribute materially to the crimes committed by botnet owners.

The third list covers Autonomous System Numbers, another way of viewing this issue. An ASN is a collection of IP address ranges that are under the control of a single administrative entity or network (usually a large company, ISP, or government).


The arrival of the Internet brought new freedoms to people all over the world. Civilized society has rules which prohibit people and companies from releasing toxic waste into the environment, where it harms other people and damages a common resource that belongs to us all. Society also needs rules which prohibit people and companies from operating malware-infected computers on the Internet, for the same reasons. The Internet is a common resource. Individual people and companies do not have the right to damage a resource that is held in common and can be used by all. Although Spamhaus can provide the data to help protect your network from this damage, until the companies that provide Internet access and the end users themselves start “stepping-up” and taking responsibility for their online actions, the botnet plague will remain with us.

Related Products

Data Query Service (DQS)

Spamhaus’ Data Query Service (DQS) is an affordable and effective solution to protect your email infrastructure and users.

Using your existing email protection solution, you will be able to block spam and other related threats including malware, ransomware, and phishing emails.

The service has never failed and utilizes the longest established DNSBLs in the industry.

  • Proactive & preventative
  • Save on email infrastructure & management costs
  • Actionable

Passive DNS

Our Passive DNS allows you to quickly and easily navigate through billions of DNS records to shine a spotlight on potentially malicious internet resources associated with your network or domain.

  • Reduce investigation times
  • Protect your online brand
  • Protect customers and end-users


Botnet Threat Update Q1 2020

15 April 2020


The number of botnet Command & Controllers (C&Cs) associated with fraudulent sign-ups, reduced by 57% in Q1 2020, however it isn't all good news. Find out the full details on botnet C&C activity here.

Botnet Threat Report 2019

24 January 2020


Spamhaus Malware Labs identified a 71.5% increase in the number of botnet command & controllers in 2019. Find out who and what was driving that increase.

The Value of Threat Intelligence – The White Paper (2019)

29 October 2019


In this Osterman Report, over 200 companies were interviewed to find out how they were utilizing threat intelligence data. Compare yourself to the market place, and find out how others are protecting themselves.