Abstract
Emails are a vital form of communication, owing to their open nature, which allows any individual to send emails to anyone else without centralized monitoring. While this has facilitated the widespread adoption of email, it has also inadvertently facilitated malicious activities, such as spam and phishing attacks, which pose a serious threat to the security of organizations worldwide. The volume of such emails is growing at an alarming rate, leading to security researchers finding new ways to protect their organizations. To develop effective protection, it’s essential to identify commonalities among emails, such as whether they originate from the same attacker, contain similar wording, or promote nearly identical products. The commonalities used in research to group emails can vary significantly. While the range of research is laudable, the absence of consistent language, datasets, and features can make understanding the results and limitations of this field very challenging. In this systematic literature survey, we looked at 23 research articles on grouping spam and phishing emails, focusing on two foundational aspects (definition of a group and use case) and four methodological aspects (dataset, input features, clustering or grouping algorithms, and evaluation strategies). We propose three definitions of `campaign’ representing how researchers approach the groupings: source-based, scam-based, and response-based. Furthermore, we discuss the various features and algorithms that have been utilized in relation to the goals of the researchers and highlight the key takeaways and recommendations for future work.