If 'To' and 'From' headers are the spammer's email address, how did I get this email?

Solution 1:

How can you see if you are a BCC recipient if you really are a BCC recipient? The nature of BCC is that it hides all the recipients of the message listed in the BCC field...

I've worked with distribution lists before in Outlook, and if I put all my recipients in the BCC field, and my own email/name in the To field, then no one but me can see who else the email was sent to...

Also, the spammer's email address in the To field could be the name of a distribution list... - thus hiding all of the emails that way...

Solution 2:

The e-mail address in the envelope ”To” has as much to do with the addresses in the To: and Cc: fields in the e-mail headers as the address on a snail mail envelope has to do with the recipient address on the letterhead of the paper in the envelope. That is, it is the responsibility of the sender to make them match, and the mail delivery service is not going to open the letter to check that it hasn't been misaddressed.

In the case of e-mail, this isn't completely true: e-mail delivery systems do inspect the mail contents (headers and body) to catch spam and viruses. But if you're Bcc'ed on an e-mail, your address will be on the envelope but not anywhere in the mail (that's why it's called a blind carbon copy — some e-mail clients generate a separate copy of the mail where they include your address in an extra field, but this is not universal). This is a legitimate use case, and spammers make use of it. (You are bcc'ed on that mail, by definition — you are an indetended recipient without being a documented recipient.)

Having an envelope “To” that is not mentioned in the headers is a hint that the mail may be spam, but it's only a hint. It happens legitimately to bcc's and bounced mails.