A botnet refers to a group of devices that have been infected with malicious software, allowing them to be controlled to carry out harmful activities such as identity theft, denial-of-service attacks (DDoS), personal data theft, click fraud, and SPAM distribution. Among these activities, SPAM is the most prevalent type of cyber-attack in today’s digital landscape, often aimed at stealing personal information and spreading infections to new devices. Research has shown that using a multistep classification approach can enhance the performance of models designed to detect cyber-attacks. However, the optimal combination of classifiers for identifying SPAM within botnet activities has not yet been established. This study introduces a method for detecting botnet SPAM through a two-step classification process, utilizing two types of classifiers chosen from a set of three: Decision Tree, Naïve Bayes, and Logistic Regression. In the first step, the model categorizes data into normal activity and botnet activity. In the second step, it further classifies botnet activities into SPAM and non-SPAM categories. The method was evaluated using the NCC-2 sensor 3 public dataset, which comprises various types of simultaneous botnet attacks, including SPAM. This dataset has an imbalance proportion, with most network traffic consisting of normal activity, followed by non-SPAM botnet activity, while SPAM botnets represent the smallest group. The experimental results revealed that employing the Decision Tree algorithm in both stages of the classification process achieved the best outcomes. The performance metrics for this proposed method showed an accuracy of 98.96%, a precision of 99.01%, a recall of 98.96%, and an F1-score of 98.98%.