In a quick reminder for the community from Chris Shiflett, he mentions the fact that the "Referer Buys You Nothing".

I am very surprised at how often I see Referer checking being mentioned as a safeguard against form spoofing. I can't properly express how completely useless this is. I've even had people try to argue with me, convinced that this is a sound technique.

Too many systems use this kind of authentication to ensure that the posted value comes from their own site, but, as he mentions, that is too easily spoofed. His suggestion for a added bit of security? Make a key in a hidden attribute that's unique to that loading of the form but can still be checked once the values are submitted.