Advances in spam detection for email spam,web spam,social network spam,and review spam: ML-based and nature-inspired-based techniques

2.1.1. Characteristics of webspam

Webspam can be classified based on the techniques used to increase webpage ranking. The main types include content spam, link spam, and cloaking spam [94]. Spam webpages contain misleading contents, such as trending topics, keywords, and popular terms that attract many clicks from users [115]. Furthermore, some spam webpages contain anchor links and hidden links. Hidden links can be used to conceal usernames and blog comments. Spam webpages also contain misleading associations to webpages. Some spammers create a network of pages that are closely connected to increase their link-based score and bypass the ranking algorithms of search engines. Some spammers also design techniques (called cloaking spam) that can display different versions of a website to users and search engines. Typically, a legitimate version of the website is sent to the search engine for ranking and indexing, while the malicious version is displayed to users.

2.1.2. Problems caused by web spam

Webspam degrades the quality of search results by suggesting unwanted web pages and misleading users to fake websites. It also causes search engines to waste computational and storage space when processing irrelevant web pages. Some spam webpages contain malicious links to malware or viruses that can cause damages to user’s computers.

2.1.3. Features to be exploited for web spam detection

Webspam detection systems can be designed to automatically detect spam webpages and remove them from search results. The key to achieving this is to determine certain features that are good indicators of legitimate and illegitimate web pages. These features are related to the contents or links in webpages [15]. Content-based features are related to the words on the webpage, such as the number of words in a webpage, number of words in a webpage title, and the average length of words in a webpage. Popular words and trending topics in each webpage can also serve as good indicators of legitimate webpages. These words can be extracted and compared to the actual content of the webpage. Webpages that contain words that do not match the actual content can be flagged as spam webpage. Link-based features include the number of links in a webpage, IP address in links, and the number of page entry link. These features can be extracted from links in webpages and used to build web spam classifiers.

Some webpages may contain resources (such as images and scripts) that are loaded from external links. These webpages could be spam webpages [94]. Some of them may contain JavaScript codes that are written by spammers to steal personal information from users. JavaScript codes can also be used to facilitate cloaking spam. Spammers can use it to send malicious contents to users with JavaScript-enabled browsers, and legitimate contents to search engines. JavaScript tags and functions can be extracted from webpages, analyzed, and used to build effective methods for identifying cloacking-based webspam. Also, large datasets (containing the different types of webpage features) can be collected and used to build ML models for webspam detection.

2.2.1. Characteristics of review spam

Fake or truthful reviews can be identified based on their content. Truthful reviews generally contain expressions that are more tangible, providing specific details on spatial configurations [125]. On the other hand, fake reviews contain more details of the product or service offered by the spammer [37], which may be more informative than those written by genuine customers. Further, truthful reviews generally contain both positive and negative sentiments, while false reviews generally contain negative sentiments [96]. Besides, fake reviews are relatively short and full of extreme (or one-sided) criticism or praise [37]. Also, fake reviewers talk less about themselves; they focus more on the aspect of their deception that will increase their credibility [125]. Fake reviews can also be identified by the attributes of the reviewer. Some spam reviewers are known to consistently write spam [96]. Also, the profile of spam reviewers is somewhat new and unverified with few personal information [37]. Besides, the number of votes gained by fake reviews are typically few [37].

2.2.2. Problems caused by review spam

Consumer reviews form a major part of a buyer’s decisions. It is estimated that about 16% of all reviews on the Yelp platform are fake [105], 33% of all TripAdvisor reviews are fake [29], and over 50% of some Amazon product reviews are fake. These fake reviews can mislead customers into making wrong purchase decisions. It can also affect the reputation of businesses and consequently lead to a loss of customers.

2.2.3. Features to be exploited

Different features can be used to build effective review spam detection models, including bag-of-word features, Linguistic and Word Count (LIWC) output, and Part of Speech (POS) tags. In bag-of-word approach, individual or small group of words from sentences can be used as features. These features are known as n-grams, and they are extracted by selecting one (unigram), two (bigram) or three (trigram) adjacent words from a given document. In the POS tagging approach, words are grouped into different part of speech based on their definition and the context in which the word is found in a sentence. To use POS features, keywords belonging to a different part of speech can be extracted from various reviews and used to build classifiers. For example, Ott et al. [125] used the following POS features: noun, adjectives, preposition, and determiners, verbs, adverbs, and pronouns. Experiments performed by them shows that truthful reviews contain more of noun, adjectives, preposition, and determiners, while negative reviews contain more of verbs, adverbs, and pronouns.

LIWC is a software that is used for text analysis, where users can create their word dictionaries to analyse different languages relevant to them. A typical example of an LIWC feature is first-person singular pronouns. Fake reviews are usually associated with decreased usage of first-person singular pronouns. This is because spammers talk less about themselves due to lack of experience or to dissociate themselves from the deception [125]. Another LIWS feature that can be exploited is space, especially for hotel and restaurant reviews. Lack of special details in reviews is a good indicator of negative reviews. Sentiment is another good LIWC feature that can be used to build spam classifiers. The presence of negative sentiments is a good indicator of false reviews.

All the linguistic features outlined above (that is, LIWC and POS tags) are not very good standalone identifiers for review spam [114]. However, they can be combined with bag-of-words features to build effective spam detection models for review spam detection [97].

2.3.1. Characteristics of social network spam

Unlike email messages and online reviews, contents posted to microblogging websites (such as Twitter, Instagram, and Facebook) are restricted to limited character size. Besides, these contents contain many platform-specific attributes, such as idioms, shortened URLs, hashtags, mentions, and abbreviations. Moreover, messages in microblogging platforms are very unstructured and noisy [4]. Also, spam messages can be sent multiple times (from one account) to multiple users within a short period [170]. These messages can also be sent simultaneously from multiple spam accounts to multiple users [34]. Furthermore, some social network spam messages contain symbols and punctuations in place of letters. These messages may also contain punctuations inside words (such as “g.o.o.d”, instead of “good”). Besides, some social network messages contain malicious links. If users click on the link, it can mislead them to phishing websites designed to steal personal and sensitive information. It can also cause malware and viruses to be downloaded to the user’s computers [35]. These unique characteristics pose a huge challenge to current spam detection models for microblogging websites.

2.3.2. Problems caused by social network spam

Social network spam can cause pandemonium in the public and misunderstanding in trending topics. Spammers can also take advantage of trending topics by posting comments that contain links, to mislead users to fake websites and defraud them of thousands and millions of dollars. Social network spam can also be used as a means of bullying, threatening, or harassment, especially to online users. It can also be used for identity theft.

2.3.3. Features to be exploited

One of the first action that spammers typically execute is to send many friend requests to their victims. Generally, only a fraction of users will accept friend requests from strangers, since they do not know them. Therefore, a good way to tackle social network spam is to build detection systems that can identify spam profiles with a large number of sent friend requests and a small number of friends. Another way to identify spam profiles is to train classifiers on features that can identify profiles that accepted a large number of friend requests from strangers. Furthermore, an analysis performed by Stringhini et al. [163] indicates that legitimate profiles send out more messages than spam profiles. This is another potential feature that can be used to train classifiers. Researchers can study the characteristics of social network spam and build effective anti-spam solutions for social network sites.

2.4.1. Characteristics of email spam

Spam emails have some characteristics that uniquely identify them. The senders of spam emails usually hide their identity. They use different techniques to hide their identities, such as IP address, images, and HTML tags. Moreover, spam emails are usually sent to multiple people at the same time. Also, spam emails sometimes contain unpleasant content and urgent tone. They are sent with malicious intent to steal personal and sensitive information from users. Some spam emails contain URLs that can lure users to fake websites or download viruses and malware to user’s devices.

2.4.2. Problems caused by email spam

Spam emails may be free to send, but it is costly to its recipients and various service providers. Spam email cost different service providers and organizations a bandwidth loss of billions of dollars [92]. Besides, it cost them loss in employee productivity, wastage of time, resources, and storage space [166]. Moreover, spam emails expose users to unpleasant content, and it provides a means for the distribution of malicious software, like Trojan and worms.

2.4.3. Features to be exploited for email spam

Spam emails can be tackled by training ML models on features that can effectively segregate spam emails from legitimate emails. These features can be identified in different parts of an email, including email header and message content. Email headers contain information about an email, such as email route, transmission date, sender, and recipient ID. Most spammers send spam messages by falsifying some of this information. For example, they can use some sophisticated Hypertext Markup Language (HTML) functionalities to hide spam contents, such as character-entity encoding and URL encoding (Constales.book 2005). Character encoding provides a means to include special characters in HTML documents, while URL encoding provides a means to hide information in links that can be transmitted over the internet. Researchers can build models that can identify spam contents in email headers and URLs. These models can be trained on features that are extracted from different parts of email headers, including sender address, recipient address, email subject, etc. These models should also be trained on features that can identify encoded information in URLs. Table 1 shows a summary of some selected ML-based and NI-based spam detection techniques in the literature.

3.1.1. Feature selection techniques for review spam detection

Thanks to Natural Language Processing (NLP), fake reviews can be detected using ML algorithms. One of the primary issues in review spam detection is lack of differentiating words (or features) that can be used to accurately classify online reviews as fake or real [50]. A typical approach used is the bag of words approach, where the presence of individual words or group of words is used as distinguishing features. However, findings from some studies indicate that this approach is not enough to train a classifier for effective review spam detection. Many other feature extraction approaches have been adopted in the literature. [83,96,113] used individual words from online reviews as features. Shojaee et al. [153] used lexical features (such as word-based features), while Ott et al. [124] used unigram and bigram term-frequencies as features.

Asghar et al. [16] considered features from three domains: opinion spam (review-based features), opinion spammer (review-based features) and item spam (product-based features). They designed a rule-based feature weighting technique for classifying review spam in the context of big data. It consists of two components for computing feature values and feature weights. They also introduced a spam score computation technique for computing and assigning scores to each feature based on their priority and role in spam detection. Furthermore, they introduced some new set of spamicity-related features and combined them with the rule-based weighting scheme for classification of review spam. The Spamicity-related features were designed based on the spam probabilities of different words. The technique was evaluated on an Amazon-based dataset that consists of 142.8 million product reviews. Moreover, they used the Natural Language Toolkit (NLTK) python platform. The platform provides a suite of text processing libraries for classification, tagging, stemming, other pre-processing tasks. Results from the evaluation show that the proposed weighting scheme achieved a classification accuracy of 98% and improved the accuracy of webspam detection by 3%.

Shojaee et al. [153] introduced a new technique for review spam detection using lexical and syntactic features. As mentioned above, lexical features are word-based features, while syntactic features are features that represent the writing style of the reviewers, such as the occurrence of function words or punctuation. Based on the features, they designed two ML models using SVM and NB classifiers. Moreover, they compared the performance of the combined feature set to the performance of using either lexical or syntactic features. The results revealed that the hybrid features produced the best performance, achieving an F-measure of 84% using SVM.

Ott et al. [124] introduced another technique for review spam detection using n-gram based features. They built an SVM model using bigram and unigram features (extracted from negative reviews) and achieved an accuracy of about 86%. Moreover, they evaluated the classifier on both positive and negative review and observed that the accuracy of the classifier slightly reduced. This suggests that separating spam review detection into positive sentiment and negative sentiment spam review detection is helpful. Furthermore, based on the findings in [82], review spam detection techniques can be improved if n-gram features are combined with other types of features, such as bag-of-word features.

Jindal and Liu [82] introduced a ML technique for identifying opinion spam in reviews. They constructed a dataset consisting of 5.8 million product reviews from Amazon, generated by over 2 million users. They extracted several features from the dataset and built a LR, SVM and NB model with the features. The models were evaluated, and they achieved promising results. As shown in their study, text-based features alone cannot be used to build effective models for review spam detection; addition of other types of features will improve the performance of classifiers. However, as the feature size increases, the feature size of the dataset increases, leading to an increase in computational complexity and possibly leading to overfitting [73]. Therefore, there is a need to build models with balanced speed-accuracy trade-off. This is an area for future research.

3.1.2. Review spam detection techniques for multiple domains

Li et al. [97] argued that existing supervised ML methods are trained on features that are specific to certain domains. Therefore, they introduced a classification framework for detecting review spam in different domains, specifically: restaurants, hotels, and doctor. The framework was based on the Sparse Additive Generative Model (SAGE) originally introduced by [61]. The authors generated a combination of different models using SAGE and SVM. Moreover, they investigated different feature extraction techniques and observed that general features like LIWC output and POS tag frequencies perform better than unigram features when performing cross-domain classification. However, unigram features produce a better result when performing intra-domain classification (e.g. restaurant reviews only). This indicates that a generic model cannot effectively detect review spam in different domains. Therefore, cross-domain classifiers require features that can effectively identify spam in different review domains.

3.1.3. Review spam detection techniques for different languages

Online reviews are not restricted to one Language; reviewers have the liberty to write reviews in different languages. Although some features (e.g. word features) will change per language, many of the features will remain unchanged [50]. Abu Hammad [2] introduced an approach for spam detection in Arabic online reviews. They noted that the class distribution of online reviews is imbalanced. Given this, they created a new dataset (which was very imbalanced) and applied Random Oversampling (ROS) and Random Undersampling (RUS) techniques to balance the class distribution in the dataset. Furthermore, they trained the balanced dataset on SVM and NB and discovered that NB produced the best performance, achieving a F-measure of 99.59%.

3.1.4. Review spam detection techniques for spammer groups

Most studies in the domain of review spam detection proposed techniques for identifying fake reviews written by individual reviewers. However, few studies have been done to identify fake reviews written by a group of malicious reviewers (called spammer groups). [113] introduced a technique for identifying spammer groups. They created a labelled group dataset and used frequent itemset mining [7] to search for spammer groups. Moreover, they evaluated the group dataset on some supervised ML algorithms (SVM, LR and Support Vector Regression) and the results indicate that applying supervised learning technique to identify spammer groups is not very effective. They introduced a relation-based technique for detecting spammer groups, called Group Spam Rank (GSRank). The technique is designed to rank the candidate groups based on their likelihood of being spam or not. The technique was evaluated, and results indicated that the proposed approach outperforms other baseline approaches for identifying spammer groups.

3.1.5. Semi-supervised learning for review spam detection

Most studies focused on building supervised learning approaches. A key challenge in these approaches is obtaining ground truth for the training dataset. Given this, some studies introduced semi-supervised learning approaches that rely on both labelled and unlabeled datasets. Stanton and Irissappane [161] proposed a semi-supervised GAN for spam detection in online reviews (called spamGAN). The technique consists of three modules, namely: generator, discriminator, and classifier. The generator module (which acts as the reinforcement learning agent) is used to generate new sentences (called fake sentences) belonging to either spam or non-spam class. The discriminator module is used to distinguish between fake and real sentences. It informs the generator (via rewards) whether the sentence it generates is realistic or not. The competition between the generator module and discriminator module improves the quality of the sentences that are generated. The classifier module contains a classifier that is trained on the original dataset and the fake sentences produced by the generator. The classifier’s performance on the fake sentence is used as feedback to improve the quality of sentences produced by the generator. The technique was evaluated on a dataset obtained from TripAdvisor [125], and it outperformed other supervised learning approaches, achieving a F1 score of 86.8%.

Aghakhani et al. [6] introduced another method for review spam detection, called FakeGAN. Unlike standard GANs that use one generator and discriminator models, FakeGAN consists of two discriminator models and one generator models. The generator is modelled as the reinforcement learning agent. The two discriminator models are trained simultaneously to estimate the intermediate action-value (using Monte Carlo search algorithm) and pass it as a reward to the generator. The authors claim that using two discriminator modules allows the generator to learn the data distribution in both truthful and deceptive reviews. The technique was evaluated TripAdvisor hotel reviews, and results show that it produced similar accuracy compared to supervised learning approaches.

3.1.6. Review spam detection technique for positive and negative reviews

Ott et al. [125] designed three ML-based techniques for detecting review spam. They created a new dataset using Amazon Mechanical Turk [12] and TripAdvisor [171]. The dataset consists of 400 truthful reviews and 400 fake reviews. In a different study [124], they created another dataset of the same size and combined it with the first dataset. The dataset contains negative reviews. They extracted three groups of features from the dataset and used them to train two classifiers: SVM and NB. The result revealed that SVM outperforms NB, achieving a classification accuracy of 89.8%.

3.2.1. Conventional machine learning techniques for social spam detection

Aswani et al. [17] designed a hybrid spam detection technique for identifying spam profiles in social networks. They examined over 1.8 million tweets from 14,235 Twitter users (using social media analytics) and extracted several content-based features from the tweets, including hashtag frequency, retweet count, URL count, unique word count. Moreover, they extracted user-profile-based features from the tweets, such as follower count, tweet count, friend count, etc. Besides, they introduced a novel set of features, called semantic features, and extracted them from the tweets. Finally, based on the extracted features, they deigned a hybrid approach using Levy-Flight Firefly Algorithm (LFA), Chaotic Optimization Algorithm (COA) and K-means algorithm to cluster the Twitter users into spam and non-spam.

Dutta et al. [60] introduced a feature selection technique to improve the detection of spam profiles in an online social network. Previous feature selection techniques ignore the mutual dependencies between features, which might lead to the selection of highly correlated features. Therefore, Dutta et al. [60] introduced a graph-based greedy approach to select features with mutual dependencies. They used graph theory to model the dependencies between features, then used the concept of RST to select a feature subset. They evaluated the technique on five datasets, and they focused on Tweets that have links since spam is mostly circulated through links to malicious websites. Moreover, they extracted several attributes (using their attribute selection technique) from the datasets, including Tweet text-based attributes, URL-based attributes, and user-profile-based attributes. Finally, based on the extracted attributes, they built different classification models (using eight ML algorithms) for classifying spam from non-spam.

Adewole et al. [4] introduced a unified framework for spam account detection in Twitter microblogging website). The framework consists of 10 ML algorithms and one bio-inspired algorithm (EA). The bio-inspired algorithm was used to identify a reduced set of features for spam account detection in the Twitter social network. Besides, they introduced a set of new graph-based features and combined it with some existing features identified in the literature. Based on these features, they trained 10 ML algorithms, namely: RF, J48, ADTree, SVM, MLP, AdaBoost, Decorate, LogitBoost, Bayes Network, and Random committee. The results indicate that LogitBoost classifier produced the best result for spam account detection, achieving an accuracy of 93.2%.

Alsaffar et al. [11] performed a comparative analysis of seven learning algorithms for Twitter spam detection, namely RF, NB, Bayesian Network, SVM, KNN, MLP, and RNN. They compared the performance of the algorithms based on two test options: 10-fold cross-validation and percentage split. They performed the analysis on a Twitter dataset consisting of 10,000 instances and 12 features, including the number of account age, number of followers, number of following, number of user favourites, number of lists, number of tweets, number of retweets, number of hashtags, number of user mentions, number of URLs, number of characters, and number of digits. The analysis indicated that RF outperforms all the compared ML algorithms including RNN. The poor performance of RNN is likely due to the size of the dataset used for training. Moreover, the result showed that 10-fold cross-validation produces a better result than the percentage split.

TinyURL is a link shortening web service that provides short aliases for long URLs. TinyURL can be exploited by spammers to transmit malicious content in social networks. Padmanabhan et al. [126] introduced a technique for identifying spam in TinyURLs, specifically focusing on Twitter tweets. They extracted a set of reduced features from different tweets and used these features to train three ML classifiers: LR, DT, and SVM. The results showed that SVM outperforms the other classifiers in identifying spam from TinyURLs.

3.2.2. Deep learning techniques for social spam detection

Most of the feature selection approaches proposed in the literature used hand-crafted features. However, hand-crafted feature selection approaches can be cumbersome and time-consuming. Besides, most of the existing techniques are based on traditional ML algorithms; very few studies focused on deep learning algorithms. Deep learning algorithms are popularly used for image classification or regression problems. They can also be used for Natural Language Processing (NLP) problems, such as social network spam detection. Ma et al. [106] introduced an approach that can automatically identify rumours from microblogs using deep learning. The authors assumed that people exposed to dubious claims tend to dispute its truthfulness by commenting on it or forwarding the claim. This generates a continuous stream of posts and a long-distance dependency of evidence. Given this sequential nature of text streams in a social network, Ma et al. [106] used RNN to learn the variations of contextual information posted by users over a period. They achieved this by modelling the social context information of an event as a variable-length time series. The authors evaluated the technique on two datasets collected from Twitter and Sina Weibo, consisting of millions of rumours and non-rumour posts, and it achieved a prediction accuracy of 91.0%.

Generally, spam patterns change over time, and this change affects the performance of existing ML-based classifier. This phenomenon is known as spam drift. Due to the problem of spam drift, ML algorithms cannot efficiently identify spam activities in real-life settings [184]. Wu et al. [184] proposed a deep learning-based technique for identifying spam in social networks. They collected different Tweets and used the WordVector approach to convert the tweets to feature vectors. Based on the feature vectors, they built a CNN-based classification model for identifying Twitter spam. The results obtained shows that deep learning-based techniques perform better than text-based spam filtering methods. Jain et al. [80] introduced a hybrid deep learning framework for spam classification in a social network. The framework consists of two algorithms, namely CNN and Long Short-Term Neural Network (LSTM). They used CNN to extract the relevant n-gram features from text sentences and used LSTM to capture long-term and high-level dependencies of these features. The authors used word2vec to convert texts to feature vectors. They also used semantic dictionaries (such as WordNet and ConceptNet) to extract the closest semantic word to a given word. Doing this will enable the classification model to learn semantic vector representations of words. The proposed architecture was evaluated on a Twitter dataset, and it achieved an accuracy of 95.48%.

3.2.3. Semi-supervised learning for social spam detection

One of the latest trends in social network spam is semi-supervised learning for big social data analysis. Most studies rely heavily on a labelled dataset and ignore the huge volume of unlabelled data that is currently available. Semi-supervised techniques are well suited for harnessing the insights in both labelled and unlabelled datasets.

Li et al. [99] introduced a semi-supervised framework for spam detection in a social network. The framework is designed to iteratively train a classifier by using a social graph. They extracted features from a small labelled dataset and used them to train an initial classifier. Further, they designed a ranking model to generate trust and distrust samples based on the social relationship of users in the small dataset. Moreover, they used the initial classifier to label the top-ranked users and select the high confident users as the new dataset. The new dataset is then used to re-train the initial classifier. These steps are repeated until the classifier cannot be further improved. The technique was evaluated, and the results show that it can effectively identify social spammers in a situation where there is an insufficient amount of dataset. [194] introduced another semi-supervised framework for social spam detection that combines co-training with a k-medoids clustering algorithm. They used the k-medoids clustering algorithm to generate their initial dataset. Furthermore, they designed a co-training classification framework that takes advantage of the behaviour-based and content-based features of users and use them for incremental training. They evaluated the performance of the proposed network with other supervised-based learning algorithms and it produced promising results.

Sedhai and Sun [151] proposed a semi-supervised framework for spam detection on Twitter. The framework is divided into two modules, namely: spam detection module and model update module. The spam detection module operates in real-time mode and it is designed to detect different types of tweets using four detectors. The first detector is designed to identify tweets that are contained in blacklisted URLs. The second detector identifies tweets that are near duplicates, based on previously pre-labelled tweets. It uses the MinHash algorithm [33] to achieve this. The third detector detects reliable tweets. Tweets are considered to be reliable if they do not contain spam words and if they are posted by reliable users. The fourth detector uses three classifiers (LR, NB, and RF) to detect tweets that are not processed by any of the first three detectors. The second module of the framework (i.e. model update module) is used to update the models of the four detectors accordingly. It uses the new data extracted from the first module to generate a new dataset for re-training the classification models. The incremental training gives the framework the ability to capture new vocabulary and new spam words. The framework was evaluated on a fraction of the HSpam14 dataset [150] and its performance was compared to three ML algorithms: NB, LR, and RF. The result shows that it outperformed the three classifiers in terms of F1 score.

Niranjan Koggalahewa et al. [117] proposed a fully unsupervised approach for identifying spammers in a social network based on peer acceptance. Peer acceptance refers to the degree to which a user is accepted by his peers. It can be obtained from common shared interests over numerous posts. The authors generated the peer acceptance of several users from an unlabelled dataset containing post contents and built an unsupervised ML model for identifying spammers. Although the approach did not outperform supervised learning techniques, it produced promising results that can be further improved in future studies.

3.3.1. Graph-based techniques for web spam detection

One of the popular approaches used to identify webspam is the graph-based approach. Many graph-based web spam detection approaches exploit the hyperlink structure between webpages to identify webspam [180]. In the graph-based approach, webpages are the nodes and links between the webpages are the edges. Considering a web graph and estimating the trustworthiness of a webpage in terms of its validity, webspam can be identified. Sattar et al. [148] introduced a technique for web spam detection based on a web graph. In the study, the authors introduced some graph-based features for web spam detection. Based on these features, they built different classification models for web spam detection using five ML algorithms, namely: SVM, KNN, LR, NB and RF. Moreover, they evaluated the technique on two datasets, and the results show that graph-based features achieve similar or better results compared to content-based features for web spam detection.

PageRank algorithm is another graph-based technique that can be used for web spam detection. Classical PageRank algorithms are typically designed to evenly assign weights to links, thereby disregarding the authority of webpages. Yu et al. [189] introduced an improved PageRank algorithm based on web page differentiation (DPR). The algorithm is designed to assign weights to webpages based on their page authority. The authority of each webpage is evaluated based on the number of links on a webpage. Also, Yu et al. [189] introduced a page-based clustering technique (called DPK-Means); they combined the proposed DPR technique with K-means clustering. The technique was evaluated and the result shows that the DPR algorithm outperforms existing page ranking algorithms. Moreover, the result shows that the DPK-Means algorithm produced better performance than K-means clustering. Some studies in the literature designed TrustRank and Anti-TrustRank algorithms for web spam detection. TrustRank algorithms are link-based spam detection algorithms that follow the principle that legitimate webpages tend to point to other legitimate webpages. Likewise, Anti-TrustRank algorithms are link-based web spam detection algorithms that are designed with the principles that spam webpages are likely to be referenced by other spam pages [180]. Whang et al. [180] designed an asynchronous Anti-TrustRank algorithm for web spam detection using the Gauss-Seidel algorithm. The algorithm is designed to reduce the number of arithmetic operations compared to the classical synchronous Anti-TrustRank methods. The algorithm was evaluated on a real-world Web graph collected from NAVER cooperation (a popular search engine company in Korea), and the result shows that it outperforms synchronous Anti-TrustRank algorithms.

3.3.2. Content-based techniques for web spam detection

Another popular approach used for webspam detection is the content-based approach. Some of these approaches focused on extracting features that can effectively distinguish between spam and legitimate webpages. Asdaghi and Soleimani [15] introduced a feature selection technique for web spam detection using a novel backward elimination feature subset selection technique. The main idea of the technique is to measure the impact of eliminating a subset of features on the performance of a classifier, instead of eliminating a single feature. The goal of the technique is to select the largest subset of features, such that omission of its member can cause maximization of the classifier’s performance. Moreover, the authors introduced a performance metric particularly suitable for an unbalanced dataset. The technique was evaluated on the WEBSPAM-UK2007 dataset and seven ML algorithms, and the result showed that RF outperformed all the algorithms, achieving an accuracy of 94.86%. Some studies [93,128] introduced a new set of link-based and content-based features for improved web spam detection, including word length, number of webpage words, and number of stop words in webpage Title. These features were extracted from the content of webpages and used to train ML models for classifying spam webpages.

Lu et al. [103] designed a hybrid technique for web spam detection based on ensemble classifiers. Firstly, they used the under-sampling technique to convert the unbalanced dataset to balanced dataset. Furthermore, they used the ICA algorithm to select feature subsets from the WEBSPAM-UK2006 dataset. Finally, based on the selected features, they built a model for webspam classification using an ensemble of C4.5 decision tree classifier. In another study [104], the same authors designed a similar approach for web spam detection. However, in this study, they used CSA for feature selection.

Many of the webspam detection techniques proposed in the literature are based on ML algorithms; very few explored deep learning algorithms. Makkar et al. [107] introduced a deep learning-based framework for web detection using RNN. The framework consists of two preprocessing algorithms (PCA, Recursive Feature Elimination (RFE)) and RNN. PCA was used for dimension reduction, RFE was used for feature selection, and RNN was used to build the classification model. The framework was evaluated, and the result shows that the preprocessing algorithms improved the classification accuracy by over 24%.

3.3.3. Cloaking-based techniques for webspam detection

Some studies [41,93,94,182] introduced different techniques for identifying cloaking spam. [94] introduced a set of new cloaking-based features suitable for training webspam detection models. They also proposed an improved multi-class SVM webspam detection technique that can identify three types of webspam, namely: content-based, link-based, and cloaking-based spam. The technique was trained on three datasets, and it produced a classification accuracy of 92.6%, 94.5%, and 94.8% for the three datasets, respectively. Najork [116] introduced a method for identifying cloaked web servers. In the method, an object was obtained by sending a request to a web server from a crawler, and a second object was obtained by sending a request to the server from a web browser. If there is a disparity between the two objects, then the webserver is classified as cloaked.

Wu and Davison [182] proposed three methods for identifying cloaking spam. In the first method, two copies of URLs were extracted from the web browser ( B 1 and B 2 ) and two copies of URL were also extracted from the crawler ( C 1 and C 2 ). “Bag of words” method was used to extract different terms from each URL. The number of different terms between C 1 and C 2 was calculated (denoted as TC1C2), and the number of different terms between C1 and B1 was also calculated (denoted as TC1B1). If the difference between TC1C2 and TC1B1 is greater than a certain threshold, then the webpage is classified as cloaked. In the second method, the number of different links between C 1 and C 2 (LC1C2) is counted, and the number of different links between C 1 and B 1 (LB1B2) is counted. If LB1B2 is greater than LC1C2 by a specified threshold, then the URL is classified as cloaked. The third method counts the number of terms that occurs in both C 1 and C 2 (called TBNC), but not in B 1 or B 2 (called TCNB). If the summation of TBNC and TCNB is greater than a certain threshold, then the URL is classified as cloaked. The three methods were evaluated, and results showed that the third method outperforms the first two methods, achieving a precision of 100%.

Chang et al. [41] introduced a ML-based technique for identifying cloaking URLs based on features on URL redirects. The method identifies fake webpage contents by first using an online system to transmit the URL of a queried website to a client (such as a mobile device). The mobile device then transmits a URL log back to the online system, which includes the URLs that the mobile device accessed when it was requesting the contents from the website. The online system then extracts a feature from at least one URL in the URL log, and then feed the feature into a ML model that was trained to identify cloaked websites. The model was trained on features for URL redirects. The model generates a score that indicates the likelihood that a website is a cloaked website. If the score is greater than a specified threshold, then the website is classified as cloaked.

3.3.4. Semi-supervised learning for webspam detection

Karimpour et al. [86] proposed a semi-supervised learning approach for webspam detection using the Expectation-Maximization (EM) algorithm. The EM algorithm is used to learn a classification model from a small set of labelled data and a large set of unlabeled data. The small dataset is used to build an initial classification model. The classification model is then used to label the samples in the unlabeled dataset as spam or non-spam. After labelling, the new samples are added to the training process and used to re-train the classification model. The process continues until there are no new labels to predict. The method was evaluated on the WEBSPAM-UK2007 dataset and the results show that it outperforms three supervised learning approaches (NB, C4.5, and Bayesian network), achieving an F-Score of 86%.

Zhang et al. [193] introduced a novel semi-supervised learning approach for webspam detection, called harmonic functions based semi-supervised learning. In the study, they represented labelled and unlabeled web pages as vertices in a web graph. The learning problem is then modelled as a Gaussian random field on the web graph, where the mean of the random field is described by different harmonic functions that can be computed using the matrix method. They evaluated the technique on the WEBSPAMUK2006 dataset and the result show that it is effective and can benefit from a large volume of unlabeled dataset.

Tian et al. [169] introduced another semi-supervised approach for webspam detection. The approach begins by extracting different features from a labelled dataset. The features are then used to train an initial classifier. Furthermore, the initial classifier is used to classify the new samples in the unlabeled dataset. The labelled samples are then added to the training process for re-training. In the study, the authors used a combinatorial feature-fusion method to reduce the feature size of the dataset. The technique was evaluated, and experimental results show that the hybrid approach outperformed three ML algorithms, producing an AUC score of 93.1%, 62.8%, and 77.2% for ADTree, SVM, and NB algorithms, respectively.

3.4.1. Conventional machine learning techniques for spam email detection

SVM is one of the popular ML algorithms that has been used to design improved spam email detection systems. It is one of the prevalent supervised ML algorithms, with robust theoretical background, excellent classification accuracy and good generalization performance [23]. [8,55,65,165,191] designed different spam email detection techniques using SVM and NI algorithms (such as ACO, CSA, BA). Some studies used the NI algorithms to extract relevant features or instances, while some studies used the algorithms to optimize SVM parameters for improved performance. The selected features, instances and parameters were then used to build effective SVM models for spam email detection.

ANN is another popular algorithm that has been used for spam detection. Nosseir et al. [120] designed a character-based spam email detection approach using ANN. They extracted different words from email datasets and divided them into three groups, based on their character size. Specifically, they considered words containing three, four and, five characters, such as AIR, POET, and CLAIM. They also divided the words into “bad” and “good” words, where 50% of the words were assigned to “bad” words and the other 50% were assigned to “good” words. They built different classification models based on each group and the five-character neural network produced the best result, achieving a FP rate of 99.90% for good words and 99.85% for bad words. In another study, Kufandirimbwa and Gotora [92] designed a spam email classifier using ANN and Perceptron Learning Rule (PLR). They extracted different features from the header and body parts of emails. Based on the features, they developed two classification models using ANN and PLR. They evaluated the models on a small dataset, and it produced an FP rate of 97.14%. The result looks promising; however, the model was built with small datasets, hence it will not generalize well on unseen samples.

A good number of studies used NB classifier for spam email classification because of its effectiveness for text classification. For example, Bhagyashri et al. [27] and Teli and Biradar [166] designed a spam detection technique based on NB algorithm. They used the Term Frequency (TF) algorithm to select important keyword-based features and then used NB algorithm to build a classification model based on the selected features. Rusland et al. [141] performed an analysis on NB algorithm and reported that its performance is affected by email type and dataset size. They trained NB classifier on two datasets of different sizes and the results show that it performs better on datasets with small sizes compared to datasets with large sizes. Awad and ELseuofi [18] compared the performance of six ML algorithms on the SpamAssassin dataset. They extracted 100 word-based features from the dataset and used them to train the six ML algorithms, namely: NB, k-NN, ANNs, SVMs, AIS, and Rough sets. The evaluation shows that NB produced the best results, achieving a prediction accuracy of 99.46%.

3.4.2. Ensemble-based techniques for spam email detection

Some studies introduced ensemble-based techniques for spam email detection. Trivedi and Dey [172] introduced an ensemble-based technique, consisting of three classifiers, namely: Boosted Bayesian, Boosted NB and SVM. They used a committee selection mechanism to combine the decisions of the three classifiers. In the mechanism, SVM is the president, while Boosted NB and Boosted Bayesian classifiers are the committee members. They used a greedy stepwise method to select features and built an ensemble-based email classification model with the features. In another study, Gupta et al. [72] introduced an ensemble-based spam detection method consisting of four classifiers, namely: Gaussian NB, Multinomial NB, Bernoulli NB, and DT. They used voting classifier to evaluate the accuracy of a different combination of classifiers in the ensemble. The results obtained shows that the use of voting classifier produces better accuracy than individual classifiers. However, ensemble classifiers are slower than single classifiers because they involve the combination of multiple classifiers.

Other ML algorithms have been used to design spam email classification systems, however, some of them have not been fully explored, such as RoF. Shuaib et al. [157] performed a comparative analysis of 14 classification algorithms. They evaluated the algorithms on spambase dataset [76], and the analysis showed that RoF produced the best result, achieving a prediction accuracy of 94.2%. The authors did not use any feature selection method in their study; hence the accuracy can be further improved by exploring feature selection methods. Table 2 shows a summary of all the ML-based detection techniques surveyed in this paper.

3.4.3. Semi-supervised learning for spam email detection

In the literature, many supervised learning algorithms have been studied for email detection, however, much work has not been done on semi-supervised learning for email spam detection. Li et al. [98] proposed a semi-supervised learning technique for email classification that leverages both labelled and unlabeled datasets. The technique consists of three main stages, namely: feature preparation, training, and classification. In the first stage, features were extracted from emails and converted into two sets of features: internal feature set and external feature set. The internal feature set contains features that are related to the content of an email, while the external feature set contains features that are related to routing and forwarding. In the second stage, a semi-supervised learning algorithm was used to build classification models based on the labelled features extracted from the first stage. The built classification models were used to automatically label and classify unlabeled instances. In the last stage, a decision is made by classifying the emails as spam or non-spam. The technique was evaluated on the spambase datasets, and the result shows that it outperforms four other supervised ML approaches, achieving a prediction accuracy of 88.84%. Meng et al. [111] introduced a technique for email classification using semi-supervised learning approach and data reduction. The data reduction technique is used to select optimal features for training, while the semi-supervised learning algorithm is used to improve the classification accuracy of spam detection models by automatically using unlabeled datasets. They evaluated the technique on three datasets and the result shows that it improved the classification accuracy of email detection and reduced false positives.

Whissell and Clarke [181] introduced a semi-supervised approach for email spam filtering using the k-means clustering algorithm. They considered a specific scenario for semi-supervised spam filtering; the scenario when a large amount of dataset is available for training and a small number of labels can be obtained for the dataset. They presented two approaches for this scenario, both starting with a cluster of emails for training. The first approach uses the true labels of the mediods of each email cluster to train a spam classifier. The trained classifier is used to filter the test data. The second approach is like the first approach; however, it uses the true label of each cluster’s mediods as the label for each email in the cluster. The technique was evaluated on two email datasets and the result shows that it outperforms other semi-supervised techniques. In the experiments, a different number of clusters were evaluated, and the best result was achieved when the number of clusters was set to 50 clusters.

3.5.1. Nature-inspired based techniques for email spam

Wang et al. [179] proposed a hybrid feature selection technique for email classification, called Document frequency and Term frequency combined Feature Selection (DTFS). The technique consists of two feature selection algorithms, namely: Optimal Document Frequency Based Feature Selection (ODFFS) and Optimal Term Frequency-based Feature Selection (OTFFS). The two techniques were used to select optimal features based on different predetermined thresholds. The authors argued that thresholds are dataset-dependent, hence they used harmony search optimization algorithm to select the optimal threshold for each dataset. This threshold will improve the trade-off between the features selected by ODFFS and OTFFS. The subset of feature selected by each algorithm was combined and used to train SVM and NB. They compared the performance of the techniques with other conventional feature selection algorithms, such as term frequency-based information gain, and the experimental results show that DTFS outperformed the other algorithms. Karthika and Visalakshi [87] introduced another feature selection technique for improving spam email classifiers. They used ACO to select a subset of spam email features, and the features were used to train and improve the prediction accuracy of SVM classifier. [191] combined PSO with ANN for feature selection. They used PSO to select relevant features and ANN to evaluate the fitness of the feature subset in different iterations. The best feature subset was then used to build a SVM model for spam email classification. [156] used WAO to select important features from two email datasets: Spambase and Enron-Spam [112]. The WAO algorithm selected 55 features out of the 58 features in the Spambase dataset. It also selected 426 features out of the 1054 features in the Enron-Spam dataset. The selected features were then combined with RoF algorithm for classification of emails.

Behjat et al. [24] introduced a feature selection technique for spam detection in spam emails. They used GA to reduce the feature dimensionality of the LingSpam dataset, and the reduced dataset was used to train Multi-Layer Perceptron (MLP). The result shows that GA reduced the dataset dimensionality and improved the prediction accuracy of MLP classifier. In another study, [138] used FFA to select optimal features for email spam classification. The selected features were used to train NB classifier, and experimental results show that the proposed FFA-based technique outperforms PSO and NN in terms of classification accuracy. Some studies [75,140] introduced different NI-based spam pattern-finding techniques for automatically identifying spam contents. These techniques use different NI algorithms (such GP) to extract spam patterns from datasets. Based on the extracted patterns, spam classification models were built. The models were evaluated, and the results showed that GP can generate spam patterns suitable for effectively classifying spam contents.

In addition to feature selection, some studies introduced instance selection techniques for improving the speed of ML algorithms. Instance selection techniques are used to remove superfluous and harmful instances from training datasets. Superfluous instances are instances that contribute negligibly to the classification accuracy of a classifier, while harmful instances are instances that lead to increased FP and FN rates [32]. Superfluous and harmful instances contribute less to the classification accuracy, hence discarding them do not have a negative impact on the overall performance of ML algorithms [32]. Very few studies designed instance selection techniques, and these techniques can effectively improve the performance of spam detection systems. Akinyelu and Adewumi [8] introduced two NI instance selection techniques based on CS algorithm and bat algorithm. The two algorithms were used to select reduced instances for SVM speed optimization. The algorithms were evaluated on different datasets, including spam email detection datasets, and the results showed that instance selection techniques can be used in combination with ML algorithms to produce improved spam detection models. In another study, Anwar et al. [14] designed an ACO-based instance selection technique for improving the prediction accuracy of classification models (called ADR-Miner). They used ACO to select relevant instances from 20 datasets. Based on the selected instances, they trained different classification algorithms, and the result shows that ACO improved the prediction accuracy of classification models.

3.5.2. Nature-inspired based techniques for webspam

NI-based feature selection has not been fully explored in the domain of web spam detection. Lu et al. [104] are one of the few authors that used NI algorithms for feature selection in web spam detection. They used CSA to design a feature selection technique for web spam detection. Initially, they used the under-sampling technique to handle the data imbalance problem in the WEBSPAM-UK2006 dataset. Further, CSA was applied to the balanced dataset to select optimal feature subsets. The selected feature subsets were used to build an ensemble of C4.5 decision tree classifiers. The results show that CSA improved the prediction accuracy of the ensemble classifier by over 5%. In a different study, Lu et al. [103] introduced a similar method for web spam detection, using ICA to select optimal features for building decision tree models.

3.5.3. Nature-inspired based techniques for review spam

Rajamohana et al. [134] introduced a technique for selecting optimal features in website reviews using adaptive binary flower pollination algorithm (BFPA) and NB algorithm. They used BFPA to select features and NB algorithm as an objective function. They evaluated the technique and the experimental results showed that it selected informative features and produced high classification accuracy. Rajamohana and Umamaheswari [132] introduced a hybrid feature selection technique using BPSO and BFPA. As claimed by the authors, the hybrid approach overcomes the drawbacks of PSO (low convergence rate) and take advantage of the strength of BPSO for feature selection. PSO has a slow convergence rate and BPSO can generate new solutions which improve the search process of features. The authors used BPSO to select some set of features, and then passed the best solutions found by the algorithm to BFPA for further optimization. Finally, BFPA outputs the best solution it obtains. The hybrid approach was evaluated on SVM, NB, and k-NN, and experimental results show that it outperformed the fitness value of standard BPSO and BFPA by 4.42% and 2.45% respectively.

Rajamohana and Umamaheswari [133] proposed a hybrid feature selection approach for review spam detection using an improved version of the binary PSO algorithm and SFLA. Initially, PSO was used to select a set of optimal features. Further, the optimized feature set was provided as an input to SFLA to further reduce the feature set. The final feature subset was used to train three classifiers: NB, k-NN, and SVM. Experiments show that the hybrid approach reduced the feature set by over 50% and improved the classification accuracy of k-NN and NB. In addition to feature selection, some authors introduced rule-based systems for review spam detection. Rule extraction techniques are designed to discover classification rules for prediction. Manaskasemsak and Rungsawang [108] introduced a rule-based algorithm for web spam detection. They used ACO to extract relevant classification rules from the WEBSPAM-UK2006 and WEBSPAM-UK2007 datasets. The extracted rules were used to distinguish between non-spam and spam hosts. The technique was evaluated, and the results show that it outperformed popular rule-based classification algorithms, achieving an AUC score of 0.899 and 0.784 for WEBSPAM-UK2006 and WEBSPAM-UK2007, respectively.

3.5.4. Nature-inspired based techniques for social network spam

Aswani et al. [17] introduced a hybrid method for identifying spam profiles in social network using bio-inspired technique and social media analytics. They combined Levy-Flight Firefly Algorithm (LFA) with K-Means for clustering Twitter users into spam and non-spam. The LFA was used to select the best clusters from the K-Means algorithm. The authors claimed that combining LFA with K-Means algorithm prevented K-Means from falling into local optimum, thus obtaining a global optimal solution for computationally intensive problems. Chaotic optimization algorithm (COA) was also used to tune certain coefficients of the LFA. Barushka and Hajek [21] introduced another NI-based technique for spam detection in a social network. They used the multi-objective evolutionary algorithm to minimize the misclassification cost and select relevant features for spam filtering. The selected features were used to train different ML algorithms, including Deep Neural Networks (DNN), RF, and NB. The result shows that the DNN-based technique produced the best result.

Table 3 shows a summary of some NI spam detection techniques and the specific problems they solved (e.g. feature selection, instance selection, rule extraction or parameter optimization).

Data collection and annotation are important parts of ML models. The reliability and sample distribution of datasets are very important issues that must be considered when collecting a dataset. Data samples in a dataset are expected to be representative of their real-world distribution so that developers can build unbiased ML models with good generalization performance. Although, a massive amount of data is available on the internet, collecting and labelling large-scale dataset to train a model can be challenging, error-prone, and complex [194]. An option could be to employ crowdsourcing services, such as Amazon Mechanical Turkers (AMT). These services grant anyone access to unknown online workers willing to complete small tasks. Ott et al. [125] used AMT to generate a dataset for review spam. They created a pool of tasks (called human intelligence tasks) and allocated them to different online workers. Each online worker can use a maximum of 30 minutes to work on a task. After completing and submitting the task, they are paid $1. As reported by Ott et al. [125], a total of 400 acceptable fake reviews were collected in 14 days. If it took them 14 days to collate just 400 reviews (which is small), then it will likely require more days (and even months) to collect large-scale datasets. This paints the picture of how challenging it can be to collect large-scale dataset. In another study, Yadav et al. [186] also used the crowdsourcing approach to collect large-scale spam dataset. They ran an incentivized scheme on their campus and awarded food coupons to participants that sent a certain number of SMS spam messages to their server. They gathered nearly 4000 samples from users in less than two months. Another option for obtaining large-scale dataset is to generate synthetic samples, where fake samples are generated from truthful samples. As an example, Sun et al. [164] used this technique to create a dataset for review spam detection. They designed an algorithm that can generate a synthetic review from a pool truthful review. They evaluated this method, and the result showed that synthetic dataset can be used to generate effective models for spam detection. [63,135] also used SMOTE to generate synthetic samples from existing datasets.

After data collection, assigning labels to each of the data samples is required. Typically, researchers use two methods to obtain annotations for datasets, namely manual annotation, or crowdsourced annotation. In manual annotation, two or more annotators are employed to manually label the data samples [83,95]. The degree of consistency between the annotation is computed (using techniques such as Cohen kappa [125]), and the annotations are accepted or rejected based on the consistency measure [152]. In crowdsourced annotation, researchers pay voluntary workers money to contribute to samples. For example, [123–125] used Amazon Mechanical Turk to employ the services of several workers to write artificial reviews for 20 hotels from TripAdvisor. [186] sent food coupons to voluntary users that contribute spam samples to their server.

These outlined methods produced good results; however, they have their shortcomings. Manually annotation is time-consuming and challenging. Also, there is a high probability of false-positive annotation, because spam samples cannot be easily identified by users that do not have enough knowledge about the domain [114]. Also, the employed annotator might not do a very good job due to the poor incentive provided for annotation [114]. On the other hand, using crowdsourced samples may not be representative of real-world samples [114]. Moreover, since we do not have control over the quality of the crowdsourced annotators, spammers can dominate the annotations by randomly assigning labels to samples without looking at the sample itself [136]. This can increase the cost of acquiring annotations and degrade the quality of the annotated dataset [136]. [136,152] proposed techniques that can be used to improve the annotation of spam datasets.

4.9.2. Dataset issues in spam detection

As shown in Table 4, most of the review spam detection techniques in the literature did not yield very good results, maybe due to lack of enough datasets for training. Some studies trained their technique on a “gold-standard” small-scale dataset [124] consisting of 800 instances, while some trained their techniques on highly imbalanced datasets, such as Yelp [187]. Moreover, some studies built their model with highly synthetically created datasets (such as Amazon Mechanical Turk (AMT) [12]). Generally, small-scale, and imbalanced datasets will produce poor models that cannot generalize well on unseen datasets. Moreover, training models on synthetic samples is a challenge, because synthetic spam samples do not properly represent real-world spam samples. Experiments performed by Mukherjee et al. [114] revealed that models built on synthetic samples produced poor generalization performance. They trained a model and evaluated it on two datasets: a synthetically created dataset (from AMT) and a real-world dataset (from Yelp). The synthetic dataset produced an accuracy of 87.8%, while the real-world dataset produced an accuracy of 65%. This 22% decrease in accuracy shows that synthetically created models cannot be used to effectively filter real-world spam samples. Future research can consider designing improved models for online review spam detection. These techniques can be built with large-scale datasets consisting of real-world data samples. Moreover, sampling techniques (such as ROS and RUS) can be explored to improve the sensitivity of the models towards spam detection. Besides, future research should avoid using crowdsourced reviews to build detection models for review spam, because crowdsourced fake reviews do not perfectly represent real-world fake reviews [114].

Habitually, real-world datasets are imbalanced; they largely consist of a higher proportion of “normal” samples and smaller proportion of “abnormal” samples. Besides, the cost of misclassifying abnormal instances is arguably higher than the cost of misclassifying normal instances [42]. Therefore, constructing classifiers from imbalanced datasets can affect the sensitivity of the classifier to minority class and lead to biased accuracy and overfitting. Sampling techniques can be used to improve the quality of datasets. Some studies introduced sampling techniques as an approach to tacking imbalance in spam detection. Habib et al. [75] used Synthetic Minority Over-sampling Technique (SMOTE) to generate synthetic samples of the minority class for training. Moreover, [2,103,104] used under-sampling techniques to remove instances of the majority (or over-represented) class. Besides, Abu Hammad [2] used an oversampling technique (ROS) to generate more copies of the minority (or under-represented) classes. Moreover, the two approaches (i.e. under-sampling and over-sampling), can be combined to effectively tackle the imbalance problem in datasets, as shown in [42]. Besides, penalized classification algorithms (such as penalizedSVM and penalizedLDA) can be used to handle imbalance problems in datasets. These penalization algorithms enforce an extra cost for making additional errors on minority classes when training. Furthermore, many studies ignored the use of ensemble learning techniques for spam detection, such as Bagging or Boosting. These techniques are very suitable for improving the performance of imbalance or noisy datasets [56].

5.2.1. Spam email

This sub-section presents the performance analysis of different ML-based spam email detection techniques. As shown in Table 5, some studies evaluated their techniques on the SpamAssassin dataset. Among these studies, Meli et al. [109] achieved the best result, followed by [18]. Meli et al. [109] designed a rule-based spam email detection technique using linear GP, and it achieved an accuracy of 99.83%. Although this technique produced a high prediction accuracy, it is not highly recommended as a standalone classifier. This is because, rule-based systems require regular updates, and they can be easily bypassed by sophisticated spam attacks. Furthermore, NB algorithm designed in [18] achieved the second-best result for SpamAssassin dataset. The authors in [18] performed a comparative analysis of six ML algorithms, and the analysis showed that NB algorithm outperforms the other algorithms, achieving an accuracy of 99.46%. Moreover, some studies evaluated their technique on the Spambase dataset. Among these techniques, Shuaib et al. [156] produced the best result, achieving a prediction accuracy of 99.99%, while other techniques achieved an accuracy between the range of 81.25% and 96.45%. This shows that Shuaib et al. [156] outperforms the other techniques by at least 3.45% and at most 18.74%, in terms of prediction accuracy. Shuaib et al. [156] designed a hybrid spam detection technique using RoT classifier and WOA. They used WOA to select relevant features for building effective models for spam email detection. This underscores the effectiveness of using NI algorithms for feature selection.

Generally, the performance of ML classifiers improves as feature selection techniques are applied. Different NI optimization algorithms have been used to select features from datasets, including ACO, WOA, CSA, BA, GA, and PSO. In [156], RoF achieved an accuracy and F-measure of 94.2% before feature selection, and 99.86% after feature selection. In [87] and [8], SVM achieved an accuracy of 79.5% and 96.66% before feature selection and 81.25% and 96.96% after feature selection. In [195], C4.5 achieved an accuracy of 91.76% before feature selection and 94.27% after feature selection. As shown in all these results, feature selection techniques improved the results of ML classifiers by over 5%. In some cases, these techniques reduced the feature size significantly. In [195], the number of features was reduced by more than 85%, from 57 features to 7 features. In [64], the number of features was reduced by more than 50%, from 6919 to 3400. In both cases, the reduced dataset produced better prediction accuracy than the original dataset.

The quality of features used to train a ML classifier also plays a major role in the performance of the ML classifiers. In [157], NB algorithm produced an accuracy of 88.5% when trained on features extracted from spambase dataset. The same classifier (I.e., NB) in [18] achieved an accuracy of 99.46% when trained on features extracted from SpamAssassin dataset. Moreover, in [87], SVM produced an accuracy of 79.5% when trained on features extracted from the spambase dataset, and it also achieved a higher accuracy of 96.96% in [18] when trained on features extracted from SpamAssassin dataset. This shows that the SpamAssassin dataset contains good features for identifying spam emails.

Different evaluation methods were adopted in the literature, including 10-fold cross validation, 20-fold cross validation, and percentage split. Among all these methods, 10-fold cross validation produced the best result. In [11], RF produced 95.7% accuracy when 10-fold cross validation was used, and its accuracy reduced to 95.3% when 66% percentage split method was used. Moreover, BN produced 88.13% accuracy when 10-fold cross validation was used, and its accuracy reduced to 87.38% when the percentage split evaluation method was used. Furthermore, MLP produced an accuracy of 86.05% when 10-fold cross validation was used, and it produced a reduced accuracy of 85% when the percentage split method was used. Although, the 10-fold cross validation technique does not always outperform the percentage split method, in most cases it does. However, it is highly recommended that different evaluation techniques are tested, and the technique that produces the best result should be used.

Some classifiers did not produce very good results for spam email detection. In [157], NB produced a prediction accuracy of 88.5% and a F-Measure of 88.5%. In [22], Radial Basis Function (RBF) produced an accuracy and F-measure of 82.61% and 0.828 respectively, while NB produced an accuracy and F-measure of 89.85% and 0.828 respectively. In [141], NB produced an accuracy and F-measure of 72.57% and 77% respectively. These poor results could be because of the evaluation technique, parameter selection technique, instance selection technique, feature selection technique designed in various studies. On the other hand, some classifiers performed averagely well, while some produced very good results.

Some classifiers produced good results when trained on fewer instances and attributes. In [141], NB classifier produced an accuracy and F-measure of 82.88% and 60% respectively when trained on a dataset with 4601 emails and 58 features. In [141], the same classifier (I.e. NB) produced a lower accuracy and F-measure of 72.57% and 77% respectively when trained on a larger dataset containing 9324 emails and 500 features. In addition, the diversity of the dataset plays a key role in the performance of ML classifiers. A classifier will produce improved generalization performance if it is trained on a large-scale dataset collected from multiple sources. For instance, in [49], NB classifier produced an accuracy of 97 when it was trained on a dataset containing emails collected from 150 users, and the same classifier in [141] produced a reduced accuracy of 77% when it was trained on a dataset that was obtained from one email account. This shows that the performance of classifiers changes with respect to dataset size, feature size, and dataset variability.

The quality of the performance of the classifiers is largely dependent on the dataset used. The analysis presented in this section is based on the spambase and spamassassin dataset. These two datasets are the most popular dataset used in the literature for spam email evaluation.

5.2.2. Social network

This section presents the performance analysis of social network spam detection techniques. Different ML models were designed for spam detection in social network sites. Some models achieved promising results. In [11], RF produced an accuracy and F-measure of 95.7%, while in [4] RF produced an accuracy and F-Measure of 93.2%. Moreover in [80], KNN produced an accuracy and F-Measure of 91.96% and 91.38%, NB produced an accuracy and F-measure of 92.07% and 91.74%, and SVM produced an accuracy and F-Measure of 93.14% and 92.97%. In [4], SVM produced an accuracy and F-Measure of 87.90% and 87.90%, while BN produced an accuracy and F-Measure of 84.2% and 84.3% [4]. The low performance produced by some of the techniques could be because of the quality of features and parameters used to build the models. Undoubtedly, these models require improvements if we want to design a secured webspace for social network users.

Feature selection also plays a major role in improving the results of ML-based social network spam detection classifiers. In some cases, feature selection techniques improved the accuracy of classifiers by over 33%. In [80], CNN produced an accuracy of 93.91% when evaluated on a Twitter dataset containing 14000 features. The same classifier (CNN) produced a better accuracy of 95.48% when evaluated on the same dataset with a reduced number of features – 8000 features. In [4], EA was used to reduce the feature size of a dataset from 69 to 18, and the reduced dataset produced better result compared to the original dataset. The accuracy of RF was improved from 92.8% to 93.2%, while the accuracy of SVM was improved from 87.8% to 88.3%. Moreover, the accuracy of BN was improved from 88.1% to 88.9%. The authors in [60] designed an RST-based feature selection technique and applied it to five social network datasets containing different number of features. The technique reduced the features in the first dataset from 63 features to 15 features. The feature selection technique also reduced the features in the second and third dataset from 60 features to 36 features, and from 41 features to 5 features, respectively. Moreover, the feature selection technique reduced the features in the fourth and fifth dataset from 60 features to 5 features, and from 23 features to 6 features, respectively. The five reduced datasets were evaluated on different ML classifiers and they produced improved results. For dataset 1, the accuracy and F-Measure of RandomTree was improved from 82.5% and 0.822 before feature selection to 85.80% and 0.862 after feature selection. Moreover, for dataset 2, the accuracy and F-Measure of NB classifier was improved from 50.4% and 0.536 before feature selection to 84.39% and 0.862 after feature selection. Moreover, for dataset 3, the accuracy and F-Measure of NB was improved from 90.1% and 0.908 to 99.51% and 0.995, while the accuracy and F-Measure of RBFNetwork was increased from 89.18% and 0.892 to 96.56% and 0.966. Furthermore, for dataset 4, the accuracy and F-measure of RBFNetwork was improved from 89.7% and 0.879 to 97.44% and 0974, while the accuracy and F-Measure of NB was increased from 75.23% and 0.742 to 99.62% and 0.9960. As shown in the results, feature selection techniques improved the results of spam classifiers by over 33%, as in the case of dataset 2.

Some studies used deep learning algorithms to build spam detection models. The authors in [11] designed a deep learning-based model using RNN and it produced an accuracy of 80%. The accuracy is not very high because of the size of dataset used to train the algorithm. Deep learning algorithms require large number of data instances for improved performance. Jain et al. [80] designed a hybrid deep-learning based technique using CNN and LSTM (called SSCL). The hybrid technique outperforms traditional ML classifiers, and it achieved an accuracy and F-measure of 95.48% and 97.13%, respectively. The hybrid technique also outperforms standard CNN and LSTM as they produced an accuracy of 92.73% and 92.93% respectively.

5.2.3. Review spam

This section presents the performance analysis of review spam detection techniques. Many ML models has been designed for review spam detection. The classification method introduced in [16] achieved the best accuracy of 98%, followed by SVM achieving an accuracy of 89.8% [125]. Moreover, the performance of classifiers varies with the type of review – positive or negative reviews. In [153], SVM produced 88.4% accuracy for positive reviews and 86.0% accuracy for negative reviews.

Some studies introduced different features, and these features contributes individually to the prediction accuracy of ML classifiers. Asghar et al. [16] trained different ML classifiers on features from different entities, including the reviewer, the review, and the product. Result shows that the classifiers produced the best result when trained on features from the three entities. The classifiers also produced good accuracy when trained on reviewer-based features. This shows that classifiers that are trained on features related to the reviewer will produce good results. Li et al. [97] evaluated different ML classifiers using unigram features, LIWC features and POS features, and the features had different impact on the performance of ML classifiers. SVM produced an accuracy and F-measure of 78.5% and 77.8% when trained on unigram features. It also produced an accuracy and F-measure of 74.5% and 75.9% when trained on LIWC features. Moreover, it produced a reduced accuracy and F-measure of 73.5% and 75.1% when trained on POS features. In [125], SVM produced 73% accuracy for POS features, 76.8% accuracy for LIWC feature, and 88.4% accuracy for unigram features. As shown in the results, unigram features produced the best result. Unigram features produces even better results when combined other features. Ott et al. [125] combined the unigram features and LIWC features. They trained SVM on the hybrid features, and it produced an improved accuracy of 89.8%, compared to 88.4% when was trained on only unigram features.

Like spam email and social network spam detection, feature selection also plays an important role in classifying spam reviews. Rajamohana and Umamaheswari [133] introduced a hybrid feature selection technique using a combination of iBPSO and SFLA. They applied the technique on a dataset containing over 2400 features, and it reduced the feature size to 642 features. Moreover, iBPSO and SFLA were separately applied to the same dataset and they reduced the feature size to 772 features and 723 features respectively. As shown, the hybrid feature selection technique achieved better feature reduction compared to the individual algorithms Furthermore, the reduced feature sets were trained on SVM, KNN, and NB and they produced better result than the original dataset. The feature set produced by the hybrid technique achieved an accuracy of 94.97% for NB, 92.12% for KNN, and 91.25% for SVM. It is noteworthy to mention that SFLA selected more features than the hybrid technique, however it produced lower accuracy compared to the hybrid technique. It produced an accuracy of 85.5% for NB, 87.07% for KNN, and 89.84% for SVM. Similarly, BPSO produced a lower accuracy compared to the hybrid technique. It produced an accuracy of 82.5% for NB, 85.05% for KNN and 88.38% for SVM. This shows that multiple NI algorithms can be combined to design effective feature selection techniques for review spam detection.

Some studies introduced different types of weighting schemes for review spam detection. These weighting schemes are designed to assign more weights to high-risk features. Results showed that ML classifiers produced improved results when trained on features with high weights. [113] introduced a weighting scheme for selecting features for spammer groups. They also introduced an unsupervised-based model called GSRank, and the model outperformed traditional ML algorithms. The model was evaluated on a dataset containing product reviews from Amazon, and it produced an AUC score of 0.93, while SVM and LR produced lower AUC of 0.83 and 0.79 respectively. Mukherjee et al. [16] introduced a classification method that uses a weighting scheme to calculate spam scores for product reviews. In the study, each review is classified as spam or non-spam based on the spam score. Results showed that the classification method outperformed traditional ML classifiers when evaluated on an Amazon dataset. It produced an accuracy and F-Measure of 98%. Moreover, SVM produced a lower accuracy and F-measure of 78% and 0.70 when evaluated on the same dataset. KNN also produced a lower accuracy and F-measure of 74% and 0.69, respectively.

5.2.4. Web spam

The section presents the performance analysis of web spam detection techniques. Combating webspam is becoming a great challenge for many search engines. In view of this, many anti-spam techniques have been developed and some of them produced promising performance. Based on some experiments performed by Sattar et al. [148], SVM produced the best result achieving an accuracy of 100%, followed by LR with an accuracy of 99.73%. In [104], C4.5 ensemble classifier produced an accuracy and F-measure of 94.66% and 0.35 respectively. NB produced the least performance for web spam detection with an accuracy of 76.1%. The results reported in some studies shows that some ML classifiers produced very good accuracy, but they have time complexity problems. For instance, Asdaghi and Soleimani [15] compared the performance of different ML algorithms, and the comparison shows that MLP and SVM produced the best result in terms of accuracy, but they produced the worst result in terms of time complexity. In the same study, KNN produced the best result in terms of time complexity, followed by Random Tree and NB classifier. The results reported in this paragraph are based on experiments performed on the WEBSPAM-UK2007 dataset.

Effectively identifying webspam requires ML classifiers to be trained on specific features, including graph-based features and content-based features. In [148], graph-based features produced the best performance, followed by content-based features. In [148], SVM and RF achieved an accuracy of 100% when trained on graph-based features. Moreover, in [15], NB produced an accuracy of 92% when trained on graph-based features. SVM and KNN also achieved an accuracy of 99.97% and 99.81% when trained on content-based features. On the other hand, in [148] and [15], NB classifier produced very poor result when trained on content-based features. In [148], NB produced an accuracy and F-measure of 36.009% and 0.471 respectfully. In [15], NB produced an accuracy of 14%. This show that the choice of features plays a key role in effectively identifying review spam.

Feature selection techniques also improves the performance of web spam classifiers. Sattar et al. [148] used information gain and gain ratio to reduce the feature set of WEBSPAM-UK2007 dataset from 274 features to 201 features, and the reduced dataset produced better result compared to the original dataset. Asdaghi and Soleimani [15] introduced a feature selection technique using the backward elimination approach. The technique was applied to the WEBSPAM-UK2007 dataset and it reduced the number of features by over 90%, from 275 to 27. The original and reduced dataset were evaluated on NB classifier and the results shows that the feature selection technique improved the accuracy of NB classifier from 70% to 73%. Makkar et al. [107] designed a framework for web spam detection consisting of feature selection and instance selection techniques. The framework used RFE for feature selection and PCA for instance selection. Experimental results show that the framework improved the accuracy of RNN classifier by over 24%.

Some studies introduced hybrid techniques for webspam detection. Sattar et al. [148] introduced a hybrid deep learning-based framework for webspam detection using RNN, RFE and PCA. Experimental results show that the hybrid framework achieved good results. Lu et al. [104] proposed a hybrid webspam detection using CSA for feature selection, under-sampling for dataset balancing, and ensemble decision tree classifier. Experiments performed on an imbalanced dataset – WEBSPAM-UK2006 dataset – shows that the hybrid technique outperform other ML classifiers. It achieved an improved accuracy and F-measure of 89.68% and 0.92, compared to NB classifier that produced a lower accuracy and F-measure of 69.37% and 0.47 respectively. Lu et al. [103] also proposed a hybrid approach using ICA for feature selection, under-sampling technique for dataset balancing, and C4.5 decision tree classifier. Experiments performed on the WEBSPAM-UK2006 dataset shows that the hybrid technique improved the accuracy of C4.5 classifier by over 16%, from 72.77% to 89.73%. It also improved the F-measure from 0.76 to 0.93. This shows hybrid technique can be used to improve the performance of webspam detection. It also noteworthy to mention that the improved result is also because of the under-sampling technique used to balance the WEBSPAM-UK2006 dataset in [103]. The WEBSPAM-UK2006 dataset used in [103] is very imbalanced; the ratio of normal web pages to spam web pages is 7:1. This shows that under-sampling techniques can be used to improve the quality of imbalanced dataset, and consequently the performance of ML algorithms.