If 'To' and 'From' headers are the spammer's email address, how did I get this email?

How can you see if you are a BCC recipient if you really are a BCC recipient? The nature of BCC is that it hides all the recipients of the message listed in the BCC field...

I've worked with distribution lists before in Outlook, and if I put all my recipients in the BCC field, and my own email/name in the To field, then no one but me can see who else the email was sent to...

Also, the spammer's email address in the To field could be the name of a distribution list... - thus hiding all of the emails that way...

The e-mail address in the envelope ”To” has as much to do with the addresses in the To: and Cc: fields in the e-mail headers as the address on a snail mail envelope has to do with the recipient address on the letterhead of the paper in the envelope. That is, it is the responsibility of the sender to make them match, and the mail delivery service is not going to open the letter to check that it hasn't been misaddressed.

In the case of e-mail, this isn't completely true: e-mail delivery systems do inspect the mail contents (headers and body) to catch spam and viruses. But if you're Bcc'ed on an e-mail, your address will be on the envelope but not anywhere in the mail (that's why it's called a blind carbon copy — some e-mail clients generate a separate copy of the mail where they include your address in an extra field, but this is not universal). This is a legitimate use case, and spammers make use of it. (You are bcc'ed on that mail, by definition — you are an indetended recipient without being a documented recipient.)

Having an envelope “To” that is not mentioned in the headers is a hint that the mail may be spam, but it's only a hint. It happens legitimately to bcc's and bounced mails.

The whole point of a Bcc: list is that the recipients can't see it. It's perfectly lawful for the envelope recipient (the recipient specified in the RCPT TO: SMTP transaction) and the header recipient (the address in the To: line) to be different; that's how Bcc lists are achieved.

So don't worry, this is completely normal.

And to see the BCC in action, here's what happens when sending some test message to a Gmail account (which probably will end up in the junk folder).

First, figure out who's handling incoming Gmail messages:

host gmail.com
gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.
gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.

Next, type the commands in bold, like in Terminal on a Mac or a DOS prompt in Windows. Don't change the dummy mail from: <me@example.com>:

telnet gmail-smtp-in.l.google.com 25
Trying 74.125.79.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP p57si7771934eeh.86

helo example.com
250 mx.google.com at your service

mail from: <me@example.com>
250 2.1.0 OK p57si7771934eeh.86

Next, type the following, changing your-real-gmail-address@gmail into whatever Gmail address you want the test message to be delivered to. (The angle brackets <...> are required.) You can also use multiple rcpt to: lines, as long as these are known to Gmail:

rcpt to: <your-real-gmail-address@gmail>
250 2.1.5 OK p57si7771934eeh.86

data
354 Go ahead p57si7771934eeh.86

After the 354 Go ahead, anything you type up to a line with just a dot, will be considered to be the message. This is totally independent of the rcpt to: you already issued above. The headers go first, then a blank line, followed by the body text. Just paste something like the following. Again, don't change the @example.com addresses:

Date: Sun, 7 Nov 2010 11:40:00 +0100 (CET)
From: Him <him@example.com>
To: Someone <someone@example.com>
Cc: "Someone else" <someoneelse@example.com>
Subject: Not in the TO, not in the CC

Hello Someone!
.

(Eventually press Ctrl-] and type quit to exit Telnet.)

Note that in the actual message above your own email address is not mentioned at all. This is also how BCC is handled; it often does not use the Bcc: header, as then the sending party could not deliver the same message to multiple recipients of the same provider in one go.

Upon receiving this message, this yields:

Delivered-To: <your-real-gmail-address@gmail>
Received: ...
Return-Path: <me@example.com>
Received: from example.com (<the sender DNS name and IP address here>)
Message-Id: <4cd67cb8.427e0e0a.60a2.4040SMTPIN_ADDED@mx.google.com>
...
Date: Sun, 7 Nov 2010 11:40:00 +0100 (CET)
From: Him <him@example.com>
To: Someone <someone@example.com>
Cc: "Someone else" <someoneelse@example.com>
Subject: Not in the TO, not in the CC

Hello Someone!

Here, Gmail added the Delivered-To: header; I am not sure if all mail servers do that.

But: the regular headers do not mention the true recipient at all, and are really just a copy of whatever you typed. And your email client typically only shows details from the message. For example, the bounce address (mail from: and Return-path:) might be different from the displayed sender (From:), and both might be false. And the date is really just the date that the sender has set. Sometimes spam has a date in the future or past, in an attempt to get the message displayed on top of your screen even after new messages have arrived.