diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index f5c8c798..78b87cdc 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -120,3 +120,5 @@ Contributors
 - Jamie Matthews, 2013/06/19
 
 - Adam Groszer, 2013/08/15
+
+- Matt Russell, 2015/01/14
diff --git a/waitress/parser.py b/waitress/parser.py
index dec96f63..b315f55a 100644
--- a/waitress/parser.py
+++ b/waitress/parser.py
@@ -182,6 +182,8 @@ def parse_header(self, header_plus):
             index = line.find(b':')
             if index > 0:
                 key = line[:index]
+                if b'_' in key:
+                    continue
                 value = line[index + 1:].strip()
                 key1 = tostr(key.upper().replace(b'-', b'_'))
                 # If a header already exists, we append subsequent values
diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py
index ed3a66cd..7c76da03 100644
--- a/waitress/tests/test_parser.py
+++ b/waitress/tests/test_parser.py
@@ -396,9 +396,24 @@ def testDuplicateHeaders(self):
         self.assertEqual(self.parser.headers, {
             'CONTENT_LENGTH': '7',
             'X_FORWARDED_FOR':
-                '10.11.12.13, unknown,127.0.0.1, 255.255.255.255',
+                '10.11.12.13, unknown,127.0.0.1',
         })
 
+    def testSpoofedHeadersDropped(self):
+        data = b"""\
+GET /foobar HTTP/8.4
+x-auth_user: bob
+content-length: 7
+
+Hello.
+"""
+        self.feed(data)
+        self.assertTrue(self.parser.completed)
+        self.assertEqual(self.parser.headers, {
+            'CONTENT_LENGTH': '7',
+        })
+
+
 class DummyBodyStream(object):
 
     def getfile(self):