From 5ccb365f935f1d8cb5c85405548e0c8d96e7419a Mon Sep 17 00:00:00 2001
From: eidurorng <eidurorn@hotmail.com>
Date: Mon, 25 Jan 2021 18:03:18 +0000
Subject: [PATCH] Quick fix for everything getting classified as external
 analysis With the OR statement everything gets classified as external
 analysis when not running with --urlsonly.

---
 mail2misp/mail2misp.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py
index a6b941e..c5958b0 100644
--- a/mail2misp/mail2misp.py
+++ b/mail2misp/mail2misp.py
@@ -284,7 +284,7 @@ class Mail2MISP():
                                                           to_ids=False, enforceWarninglist=False)
                 if email_object:
                     email_object.add_reference(attribute.uuid, 'contains')
-            elif domainname in self.config.externallist or self.urlsonly is False:  # External analysis
+            elif domainname in self.config.externallist and self.urlsonly is False:  # External analysis
                 attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
                                                           to_ids=False, enforceWarninglist=False)
                 if email_object: