Creating a lexical rule in advanced mode

The advanced mode for entering lexical rules enables you to match against system or custom dictionaries, and include multiple actions depending on the number of phrases matched. (If you want to specify a single action to take when a message matches a phrase from a list, see Creating a lexical rule in simple mode.)

From this page, you can access the Dictionaries page to create or edit your custom dictionaries.

Note: You can also access the dictionaries page by navigating to Email > Settings > Dictionaries. Dictionaries can include simple phrases, complex multi-word searches, or regular expressions. For more information, see Managing dictionaries.

To add a lexical rule in advanced mode:

Steps

  1. On the main Lexical Rules screen, click Add Advanced Rule. (To edit an existing rule, click the rule that you want to edit).
  2. Enter a name for the rule and a description if desired.
    Note that the new rule is enabled by default. You can change this later if required.
  3. From the Dictionary drop down box, select the dictionary you want to use for this rule.
  4. In the Include recipients or senders field, enter the domain(s) or individual email address(es) or select the group to which this rule applies. Note that these must be domains or email addresses associated with your account: for an outbound rule, this would apply to senders, and for an inbound rule it would apply to recipients. If you do not enter any information in this field, the rule applies to everyone.
  5. In the Excluded recipients and Excluded senders fields, enter any domains or individual email addresses, or select the group to be excluded from this rule. If you do not enter any exclusion information, nobody is excluded from the rule.
    Note: For inbound and outbound lexical rules, you can create a list that excludes certain senders and one that excludes certain recipients. For example, you can specify that a lexical rule does not apply if an email is from xyz@externaldomain.com or is sent to xyz@internaldomain.com. In all exclusion lists, you can enter up to 65,535 characters consisting of domains, addresses, or groups, separated by commas.
  6. Click Submit.
    The rule details are displayed. You can click Edit to change any of the details entered in the steps above, or to disable the rule.
  7. Click Add... to tell Forcepoint Email Security Cloud what to do when a message matches entries in the dictionary. The Lexical Rule Action screen appears.
  8. Specify a threshold, an action, and any notification options related to the selected action, then click Add to save your changes. The rule is triggered when the combined value of all matched words in the message is greater than or equal to this threshold.

Next steps

There are 7 different actions that can be performed on the email. You can therefore configure up to 7 different thresholds, each with a separate action:

  • Quarantine message (optionally notify sender, recipients, and/or others with the selected notification messages).
    Note: Once an email message is quarantined, no further actions can be performed on that message. Therefore, if you set a quarantine action at a certain threshold, any other action set at a higher threshold will fail.
  • Encrypt the message (optionally notify the sender and/or others). This option is only available for outbound lexical rules, and if you have the Email Security Encryption Module (see Advanced encryption).
  • Forward message to a specific address.
  • Tag the subject with a specified phrase and deliver the message.
  • Blind carbon copy the message to another address.
  • Tag the subject, deliver it, and send a blind carbon copy to another address.
  • Deliver the message without any tags and keep a copy for checking.
Note: There is a quota for the number of messages that can be retained with the Keep Copy action. When you select Keep Copy or manage a lexical rule that uses Keep Copy, the used and available quota is displayed. If you exceed this quota, messages matching the Keep Copy criteria are logged in the Message Center, but you cannot read the message contents. To free space, delete some messages in the Message Center and then contact Support to have the lexical rule(s) using Keep Copy checked and re-enabled.

For quarantined messages, you can also define whether end users can view or release any messages caught by this lexical rule from their personal email report.

In the example above, inbound email is checked against a dictionary of offensive phrases to protect the intended recipient. Those that score 1.5 or above are quarantined. Email that scores 5 or above is likely to have matched multiple words or matched against words that have been allocated a higher score.

To help you choose an appropriate threshold for the actions you require, click Show dictionary statistics to display a statistical analysis of the selected dictionary. On the left side is a graphical representation of the distribution of scores in the dictionary. On the right side are a few statistics that may help you to choose a threshold.

Note: There is a limit on the number of regular expressions you can include in lexical rules for each policy. If your dictionaries include a large number of regular expressions, it might restrict the ability of the service to process your email. A warning appears when you are nearing this limit, and once you exceed the limit, you cannot save the lexical rule.