It is spoofable but not as easily as HTTP_REFERER. Not saying not to check it but use it along with other methods of verification

There are several things you can do to help yourself besides just $ENV variables.

First of all if you can I'd block the offending IP at the firewall. If you don't have access to the firewall but you're using Linux and have some kind of admin privilege you can add the IP to the /etc/hosts.deny file. Or use iptables.

If your form is generated then use a signature to sign the page and then submit it along with your form. Make a random MD5 and store that somewhere with the IP address. Then when the form is submitted use the signature to retrieve the IP used to load the page and compare the two. Denying if there is no signature or the signature isn't stored, or the IPs don't match. Make sure to delete the stored stuff after the comparison (wheither it passed or failed) you might want to store a timestamp as well and expire the signatures.

At the very least this approach will slow an attack down because it will force an attacker to get the correct signature for every submit to your form. You can still lock the IP if it connects too much as well, forcing any attacker to keep changing or spoofing new ones, hopefully giving up.

Having good input checking will also help. Deny if the same information has already been submitted. And make sure the information you accept is carefully looked over. Only allow generally accepted formats for names, address, phone-numbers, etc. And make sure your numerical fields only contain numbers. You don't have to lock out people who make mistakes but you keep the information from reaching your database or payment processor. Plus you force the person to get a new signature. Transparent if they are using your app, but more difficult for automated tools.

HTH