Any http request is easy to spoof, but if somebody sets up a useragent with a spoofed referer, that UA will not lead to a sale (and if it does, you are happy anyway).

But it's harder to set up a server that responds to a standard client in such a way that it will send a wrong referer (at least I know no way).

You can still log the referer and the corresponding partner ID from the cookie, and ask the partner to stop that practice, after all it's in your Terms of Service.

Update: another idea: just send a request to the refering URL to see if it answers by a redirect. (Assuming that you don't allow images that lead to a redirecting CGI script)