Preventing cURL Referrer spoofing

Question 1

No, there's no definitive way of determing the URL Referrer.

As per the HTTP spec, HTTP_REFERER is optional. Some firewall packages strip these out by default, some clients don't send the referer value, and and there are numerous ways (like the one you showed in the question) to modify this value.

In short, the HTTP_REFERER value cannot be trusted. There will always be some way to modify these values. This is mentioned in the PHP manual documentation for $_SERVER (emphasis mine):

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

To answer your question: no, there is no way to prevent HTTP_REFERER value being altered. I'd suggest you double-check the value before using it (optionally, apply htmlspecialchars() on it to prevent injection) or don't use it at all. Unfortunately, it is a "take it or go home" deal.

Question 2

There is nothing you can do about this referrer tempering. All of the web-stats scripts are depending on this referrer. Even the giant web-stats sites including google-analytics gets fooled by this fake referrer.

It could be a nice solution to check back the referrer url. I mean visit the referrer and check whether your url exists there or not. But of course its time consuming, slow, and also requires a huge bandwidth as well. However it is not enough to overcome this issue.

Here are few problems at where you'll not find your link when you are tracking back the referrer url:

What if the referred url is behind the session? For example a link came from email like yahoo, google, or from a private forum.
What if the url came from a javascript link/click?
Link from an iframe is nonetheless of javascript link as well.