HTTP headers from some clients have characters randomly replaced

Question

Doing web traffic and log analysis, but there are a lot of malformed headers being passed from clients. These have characters transposed or replaced with "x"'s.

Does anyone know where they come from or why? Is this some kind of attempt at security, or something more nefarious?

Examples:

xroxy-connection: Keep-Alive
cneoction: close
nncoection: close
ocpry-connection: Keep-Alive
pxyro-connection: close
proxy-~~~~~~~~~~: ~~~~~~~~~~
x-xorwarded-for: 000.00.00.000
Referer: http://www.example.xom/nxws/article/2009-1x-21/?cid=4xxx00x2-0x60x3x0

Answer 1

A Google search for "xroxy-connection" turns up a security advisory on Kerio Winroute Firewall which replaces the first character in a header with an X for some reason.

The letter transposition is probably a similar proxying issue, if I had to take a guess.

Answer 2

Check out the Missed Cneonctions section of Fun With HTTP Headers. The author thinks:

I now believe this is something done by a hackish hardware load balancer trying to “remove” the connection close header when proxying for an internal server. That way, the connection can be held open and images can be transmitted through the same TCP connection, while the backend web server doesn’t need to be modified at all.