Is it possible that email sent via
$result=mail($to, $subject, $message, $headers);
We're seeing this happen, too. We traced the cause to an admin adding
mail.add_x_header = On to
php.ini. We found this actually injects several headers containing the file name into emails:
With today's neural-network self-teaching autonomous filters, common file names like
ws.php can be associated with spam. It doesn't care why, just plays the odds. The filter sees something in the list mentioned a lot of times, and suddenly your emails will trip the spam filters.
We had the option to change the file name, but I like your approach of using
curl to redirect to a safe page!