One way to do it is to match the message file name from the log with the message file name of the message. Many email platforms include this information in the headers and/or their own logs.

In a postfix or similar installation, you could (probably should) use the xhdr option. SNF can be configured to produce a .xhdr file which contains customizable details on the SNF rules that fired.

For example, with the xhdr option turned on, when SNF was passed the message file 20120418113833_688.msg, it would have created a file 20120418113833_644.msg.xhdr that contained X- headers suitable for that message. Your script could then add these headers to the message file before re-injecting it. (and then delete the .xhdr file to clean up)

That way - the message itself would contain all of the information needed to track down any false positives. Specifically, the x-header information contains a folded list of rule ids and rule groups corresponding to the match and final lines you see in the log.

If you prefer not to go with the xhdr option then you could have your filter script emit an x-header that contains the file name used to scan the message.