HTTP_REFERER is not guaranteed to be accurate. Some firewalls strip that information out before allowing the page request to leave the network. Some browsers strip or modify it as well. Way too many people know how to fake it too.