This is a pretty serious attack - is there really no way to mitigate it? An arbitrary HTTP header is pretty low on the totem-pole of trust, so why don't they periodically check DNS records for corroboration?