The present invention provides an improved system and method for analyzing spam e-mail. The system and method monitors instances of spam across a distributed network, and creates and stores records of these instances as encoded information strings, which are attached to each message as a header. The system and method use information and statistics obtained from the information strings to dynamically create, modify and retire rules for analyzing and managing spam e-mail. The system also allows analysts to dynamically create, modify and retire rules based upon feedback regarding unidentified spam messages and false positives.