Who can use the Spamhaus CERT Insight Portal?

Spamhaus says the free portal is for government-funded national or regional CERTs and CSIRTs with a defined constituency. Other organizations are affected by the data, but they are not the direct eligible audience for portal access.

What is the difference between the Bot Report and Botnet C&C report?

The Bot Report is sourced from XBL and focuses on infected machines. The enriched Botnet C&C report is sourced from BCL and focuses on infrastructure used to control infected machines, with metadata such as protocol, country, ASN, bot family, IP address, and last seen date.

Why does this affect email deliverability?

Compromised infrastructure can send spam, host controller systems, support abuse, and trigger blocklist or blacklist listings. Receivers can reject or filter mail based on reputation even when SPF, DKIM, and DMARC pass.

What should an ESP do after a related alert?

An ESP should identify whether the affected asset touches sending infrastructure, isolate or clean the source, coordinate with the network owner, and monitor IP and domain reputation until the risk is resolved.

Where does Suped fit into this workflow?

Suped helps mail teams monitor DMARC, SPF, DKIM, blocklist status, and deliverability signals around the security cleanup work. That makes it easier to see whether remediation has also restored sender reputation.

Back to Blog

Spamhaus adds enriched botnet C&C data to CERT Insight Portal

News

Michael Ko

Co-founder & CEO, Suped

Published 15 Jun 2026

Updated 15 Jun 2026

11 min read

Summarize with

Editorial thumbnail for Spamhaus' CERT Insight Portal botnet C&C update.

Spamhaus has updated its free CERT Insight Portal for government-funded national and regional CERTs and CSIRTs with enriched botnet C&C reporting, JSON/API access, and improved portal workflows. Spamhaus published the June 14 update at 17:37:52, and by June 16 the operational impact is clear: incident response teams now get more context about command-and-control infrastructure in their own countries, ASNs, and CIDR ranges.

I read this as more than a portal refresh. Spamhaus says botnet C&C activity it detected rose 56% in 2025, which means national response teams need faster ways to turn raw listing data into owner notifications, cleanup tickets, and reputation controls. The update is aimed at that gap: less manual lookup work, more usable context, and better paths for alerting on infrastructure before it causes wider mail and network harm.

What changed

Eligible teams: Government-funded national and regional CERTs and CSIRTs can use the free portal for their constituency.
New data: The Botnet C&C report now includes enriched metadata from the Spamhaus Botnet Controller List.
Better access: CERT teams can view JSON in the portal or use an API key to download JSON files for automation.
Alert coverage: Portal alerts can cover BCL and SBL, with SBL covering IPs involved in sending or supporting spam operations.

What changed in the CERT Insight Portal

The CERT Insight Portal already gave qualified CERTs and CSIRTs access to regional reporting on bot activity. The important change is that Spamhaus has added richer context for botnet C&C infrastructure, not just the presence of an IP on a list. That matters because a single IP address by itself often creates a slow investigation: who owns it, which network is responsible, what malware family is involved, when was it last seen, and which team needs the escalation.

The updated portal now supports watched resources that match a CERT's scope, including country codes, ASNs, and IPv4 CIDR blocks. Once those resources are configured, teams can review relevant IPs in portal reports and export the data for internal tooling. That makes the portal more useful for repeatable work: daily triage queues, incident routing, abuse desk tickets, hosting provider notices, and regional trend reviews.

Spamhaus botnet C&C detection index

Spamhaus says detected botnet C&C activity rose 56% in 2025. This index uses 2024 as the baseline.

2024 baseline

100 index

2025 detected activity

156 index

A 56% rise does not mean every network sees the same increase, but it does explain why a free, structured portal for national and regional responders has practical value. When reporting volume increases, the bottleneck shifts to prioritization. Which hosts are actively infected? Which IPs are controller infrastructure? Which cases need network owner contact today? The new enrichment helps answer those questions faster.

Report	Source	Data	Best use
Bot Report	XBL	Infected hosts	Endpoint cleanup
Botnet C&C	BCL	Controller IPs	Infrastructure takedown
Alerts	BCL, SBL	Watched assets	Fast triage

CERT Insight Portal report types

What the two reports mean

The two report types should not be treated as duplicates. They answer different questions and point to different remediation paths. The Bot Report is sourced from XBL, the Spamhaus Exploits Blocklist, and it focuses on infected machines. If an IP appears there, the immediate question is usually about a compromised host, customer endpoint, server, router, or other device that needs containment and cleanup. For a deeper background on that list, the Spamhaus XBL explainer is the relevant reference.

The enriched Botnet C&C report is sourced from BCL, the Spamhaus Botnet Controller List. This report points at infrastructure used to coordinate infected machines. The new value is the surrounding metadata: protocol, country, ASN, bot family naming, IP address, and last seen date. That helps a CERT move from "this IP is bad" to "this IP is in this network, was recently observed, and appears tied to this bot family."

Bot Report

Source: XBL, based on Spamhaus observations of infected machines.
Primary signal: A host in the watched resource appears to be infected.
Typical action: Notify the network owner, clean the host, and verify the infection has stopped.

Enriched Botnet C&C report

Source: BCL, based on infrastructure used for botnet command and control.
Primary signal: A controller server appears inside the CERT's watched country, ASN, or CIDR.
Typical action: Escalate to hosting, abuse, or network teams with metadata attached.

Example fields to normalizejson

{
  "source": "BCL",
  "protocol": "TCP",
  "country_code": "US",
  "asn": 64500,
  "botname": "example-family",
  "ip_address": "192.0.2.10",
  "last_seen": "2026-06-14"
}

That normalized shape is not a replacement for the official Spamhaus feed schema. It is the sort of case data I would expect teams to map into a ticket, SIEM event, abuse desk workflow, or network owner notification. The API and JSON access are important because the same evidence can move through several teams without being copied by hand.

Why this matters for email security

Botnet C&C data looks like a security operations topic first, but it connects directly to email security and sender reputation. Compromised infrastructure and controller systems can drive spam, phishing, malware delivery, blocklist listings, and poor IP reputation. Once a sender's shared infrastructure or customer range is associated with abuse, mail acceptance can degrade even if the sender's DMARC, SPF, and DKIM records are technically valid.

This is where blocklist and blacklist workflows matter. A mail server can have correct DNS records and still suffer if its IP space has a bad reputation. A hosting range can have one infected customer that triggers scrutiny for adjacent assets. An ESP can have authenticated mail that still lands poorly because underlying IP reputation is damaged. Authentication answers "is this mail authorized?" Reputation answers "should this infrastructure be trusted right now?"

Infographic showing how bot activity can affect mail reputation.

Email impact

A clean DMARC result does not cancel out IP reputation damage. If a sending IP or related network asset appears on a major blocklist (blacklist), receivers can still reject, defer, or filter the mail.

Compromise risk: Infected hosts can send unwanted mail or support malicious traffic.
Reputation risk: Shared ranges can suffer when abuse is not contained quickly.
Delivery risk: Receivers can act on blocklist data before a sender sees complaints.
Authentication gap: SPF, DKIM, and DMARC do not prove that an IP has good behavior.

For security teams that own mail infrastructure, the Spamhaus update should feed into the same control loop as blocklists, DMARC reporting, and sender reputation monitoring. The value is not just seeing a listing. The value is learning fast enough to fix the source before receivers change how they treat legitimate mail.

Who needs to act

CERTs and CSIRTs are the direct audience. They are the teams Spamhaus names as eligible for the free portal, provided they are government-funded and responsible for a national or regional constituency. The update is built for their operating model: watch defined resources, receive relevant list activity, export reports, and coordinate remediation with the people who can remove the infected host or controller system.

The indirect audience is broader. Network operators, hosting providers, ESPs, mailbox and security teams, and abuse desk owners all need this data to move quickly once a CERT escalates a case. If those teams wait until mail is rejected, the response has already moved into customer pain. A better workflow starts earlier, when the infected host, controller server, or spam-supporting infrastructure first appears in the intelligence stream.

CERTs and CSIRTs: Configure watched resources and use the reports to drive national or regional remediation.
Network operators: Map alerts to customers, routers, servers, or hosting segments and remove the cause.
Hosting providers: Use BCL context to identify controller systems and suspend or clean abusive resources.
ESPs: Watch sending pools for reputation damage before it becomes a mail acceptance problem.
Security teams: Tie bot and C&C signals to incident response, customer notification, and abuse handling.

The SBL piece is especially relevant for mail teams. Spamhaus describes SBL as covering IPs involved in sending or supporting spam operations. If your infrastructure or a provider you depend on is listed, the issue can affect acceptance decisions across receivers that use Spamhaus data. The Spamhaus SBL background page is useful when the alert path moves into sender reputation remediation.

Operational priority bands

A practical way to prioritize alerts from watched resources.

Monitor

Low

Older signal with no current mail impact.

Triage

Medium

Recent infected host or unknown owner.

Escalate

High

Active C&C or SBL-listed mail asset.

Done

Owner confirms cleanup and reputation recovers.

Practical next steps for CERTs and operators

Eligible CERTs should start by checking portal access and confirming that their watched resources match their real responsibility. A country code alone can be too broad for some teams, while ASNs and CIDR ranges can be more actionable for direct owner routing. The stronger setup is the one that maps cleanly to the teams who can fix the affected assets.

Flowchart for turning CERT portal alerts into remediation.

The API and JSON export should not be treated as a convenience only. They are the path to consistent handling. A manual portal check can help during investigation, but recurring alerts need a repeatable queue with ownership, priority, status, and closure evidence.

Access review: Confirm the CERT or CSIRT account, users, API key handling, and escalation contacts.
Resource setup: Add the watched country, ASN, and CIDR resources that match the team mandate.
Data intake: Use JSON and API exports to feed cases into the existing incident workflow.
Alert triage: Separate BCL, XBL, and SBL items because each one points to a different fix path.
Owner contact: Coordinate with network owners, hosting providers, ESPs, and abuse desks.
Reputation check: Verify that cleanup changes the visible mail and IP reputation state.

For any team handling mail, the final step should include a reputation check, not just a host cleanup note. Use domain health check workflows to review authentication, DNS, and reputation signals together, then use email testing when the question is whether a real message is passing the checks receivers care about.

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

If an affected IP is part of a sending pool, I would not wait for customer complaints before acting. Check whether the same IP, adjacent ranges, or sending domains have visible blacklist exposure. Then tie that finding back to the cleanup ticket so the team knows whether the fix restored mail trust or only removed the initial security symptom.

Where Suped fits for sender reputation

Spamhaus' portal is built for eligible CERT and CSIRT workflows. Suped fits the mail-side workflow around it: DMARC monitoring, SPF and DKIM visibility, hosted SPF, hosted DMARC, hosted MTA-STS, blocklist monitoring, and deliverability signals in one operational view. For most mail-sending teams, Suped is the best overall DMARC platform because it connects authentication health with the reputation issues that affect delivery.

Blocklist monitoring page showing domain and IP checks across blocklists with importance and status

The practical workflow is straightforward. CERT or security teams use the Spamhaus portal to identify infected hosts, controller infrastructure, and SBL alerts in their constituency. Mail operations teams use Suped to monitor whether sending IPs or domains show reputation trouble, whether DMARC failures are rising, and whether authentication changes are needed. That gives both sides a shared view of cause and impact.

Suped's blocklist monitoring is useful after a BCL, XBL, or SBL alert because remediation is only complete when the underlying problem is fixed and reputation risk is under control. Automated issue detection, real-time alerts, and clear steps to fix keep the work from getting stuck between security, DNS, and mail operations.

Suped workflow

Monitor authentication: Track DMARC, SPF, and DKIM health across active sending domains.
Watch reputation: Monitor domain and IP listings across major blocklists and blacklists.
Simplify DNS: Use hosted SPF, SPF flattening, hosted DMARC, and hosted MTA-STS where DNS work slows response.
Scale operations: Manage many domains through MSP and multi-tenant dashboards when several clients or brands are involved.

What to watch next

The Spamhaus update points in a clear direction: threat intelligence needs to be closer to the teams that can remediate infrastructure. Enrichment matters because it reduces the time between detection and ownership. API access matters because it turns occasional review into a repeatable process. Alerts matter because the difference between a contained incident and a delivery problem is often timing.

For CERTs and CSIRTs, the next move is to make the portal operational: configure resources, pull reports, triage BCL/XBL/SBL signals, and coordinate with the right network owners. For mail teams, the next move is to treat those same signals as early warnings for sender reputation. A compromised machine, controller system, or spam-supporting IP can become a blocklist event before it appears as a DMARC problem.

Bottom line

Spamhaus has made the CERT Insight Portal more useful for incident response by adding enriched Botnet C&C reporting and easier machine access. The email security takeaway is direct: fix compromised infrastructure early, then verify that authentication and reputation signals are both healthy.