that is how HTTP works, if you look at an HTTP request (with F12 in most browsers) you will see it sends an URI to an IP (which it resolved from the hostname) and a Host header. some other headers also, but those don't matter here.
so the only way* the device you send such a request to knows for which host it is is the Host header. and if you use that value for something it might turn out weird.
there is little you can do except if you know which hosts are used on your virtual server only allow those and drop all requests with different Host headers.
*) yes there is SNI, but that only works for HTTPS.