@inproceedings{diaz-etal-2024-spamclus,
    title = "{S}pam{C}lus: An Agglomerative Clustering Algorithm for Spam Email Campaigns Detection",
    author = "D{\'i}az, Daniel  and
      Al-Nabki, Wesam  and
      Fern{\'a}ndez-Robles, Laura  and
      Alegre, Enrique  and
      Fidalgo, Eduardo  and
      Mart{\'i}nez-Mendoza, Alicia",
    editor = "Mitkov, Ruslan  and
      Ezzini, Saad  and
      Ranasinghe, Tharindu  and
      Ezeani, Ignatius  and
      Khallaf, Nouran  and
      Acarturk, Cengiz  and
      Bradbury, Matthew  and
      El-Haj, Mo  and
      Rayson, Paul",
    booktitle = "Proceedings of the First International Conference on Natural Language Processing and Artificial Intelligence for Cyber Security",
    month = jul,
    year = "2024",
    address = "Lancaster, UK",
    publisher = "International Conference on Natural Language Processing and Artificial Intelligence for Cyber Security",
    url = "https://preview.aclanthology.org/fix-sig-urls/2024.nlpaics-1.8/",
    pages = "64--69",
    abstract = "Spam emails constitute a significant proportion of emails received by users, and can result in financial losses or in the download of malware on the victim{'}s device. Cyberattackers create spam campaigns to deliver spam messages on a large scale and benefit from the low economic investment and anonymity required to create the attacks. In addition to spam filters, raising awareness about active email scams is a relevant measure that helps mitigate the consequences of spam. Therefore, detecting campaigns becomes a relevant task in identifying and alerting the targets of spam. In this paper, we propose an unsupervised learning algorithm, SpamClus{\_}1, an iterative algorithm that groups spam email campaigns using agglomerative clustering. The measures employed to determine the clusters are the minimum number of samples and minimum percentage of similarity within a cluster. Evaluating SpamClus{\_}1 on a set of emails provided by the Spanish National Cybersecurity Institute (INCIBE), we found that the optimal values are 50 minimum samples and a minimum cosine similarity of 0.8. The clustering results show 19 spam datasets with 3048 spam samples out of 6702 emails from a range of three consecutive days and eight spam clusters with 870 spam samples out of 1469 emails from one day."
}