It took my a while of searching before I found this mailing list entry that gave me really good instructions on how to manually show what triggered URIBL_SBL. I needed this as we were blocking a client and had to figure out why they were getting blocked.
First, URIBL_SBL won’t have anything to do with the senders email address,
or their mailserver IP.
That’s a URI blacklist, thus only has anything to do with URI’s (more or
less the same as a URL in this discussion)
Thus you need to look at all the weblinks in the body of the email. No part
of the headers is relevant. only body, and only something that might look
like a web link to SA’s parser.
In the case of uribl_sbl it’s a little less direct than just trying to use
openrbl or something similar, because how this test is implemented is tricky.
First, take the target domain, and find it’s nameserver
$dig ns example.com
next resolve the nameserver to an ip:
now take that, and go to openrbl and check to see if THAT is listed in sbl.
(or do it yourself by reversing the ip)
Example IP 192.168.100.10
dig txt 10.100.168.192.sbl.spamhaus.org
See the link for an Example