In an earlier version of our infrastructure we had rewrite rules in the IIS web.config file to explicitly deal with HTTP_HOST header spoofing to make sure that only requests for valid hosts were coming to the applications. (In our current infrastructure, all of that sort of BFM happens well before the request gets to the web server.) We cared because there was no legitimate reason to allow goofy stuff like that through and because in some cases we were using host/server names to determine what environment the application was running in.
Looking at some of those you’ve noted, that sort of looks like what you’re dealing with here?