How does a spammer hide the destination address?

[scottmarydavidsam-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (scottmarydavidsam-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org)]

Sorry if this is a bit off topic but you guys and ladies seem to have a
thorough understanding of SMTP rules, I'm hoping you can help me learn...

One of our users ("kathy" in the header below) has received about 30
messages from other people trying to unsubscribe from a mailing list called
centerforgastricbypass.com. This domain has nothing to do with our company
and she is in no way associated with that organization. I could block the
messages at our gateway but I'm curious how this could be happening, there
is no indication in the message that it's going to her until you look at the
header (see below).

I used the Sam Spade email header parser (a VERY cool tool by the way) and I
can see where the suspicious activity begins as well as her address but it's
not clear to me how that can be hidden in the message itself. I know you can
hide the sender but I wasn't aware that you can hide the destination
address. Here's what I'm looking for:

1) Any ideas on how the destination email address can be hidden so that you
can't see it outside of the header, but it routes properly?
2) Suggestions on how to stop this aside from simply blocking the domain?

Thanks in advance.
Scott

Note, I've replaced the following information in the header:
The name of my company replaced with MYCOMPANY
The IP address of my external smtp server replaced with 10.0.0.0
My server names have been changed to smtpserver, spamscanner and email.
Internally, my mail goes from the Internet to "smtpserver" (SuSE linux
running Postfix, ClamAV and SpamAssassin IP=10.0.0.0), then to "spamscanner"
(Barracuda Spam Firewall IP=10.6.10.2), then to "email" (MS Exchange mailbox
server).
Sorry for all the obfuscation but I'm the paranoid, cynical one.

****HEADER START****