HTTP is a stateless protocol. There is no way to stop this against a determined hacker. Therefore you can never fully trust the data coming from any form.
You can protect the page using some authentication means but I'm guessing this is for some contact us page or the like that is open to the public without a log in. In that event you only have a few options.
One of the best is to see if you have a session for the user. Whether logged in or not they should have a session id. Use a heap table to store when the form is sent to a browser and what session it was under. If you get a post request without a corresponding form request for the same session you can be fairly certain it is an attack.
That said, the attacker can spoof the session. So drop the session from the heap table on submit. This forces their script to request the form each time they submit.
Finally time them - note the time you sent the form on said heap table and the time of the response. A bot can send a response faster than humanly possible. Disregard posts received like that. Force the attacker to wait.
At this point if they are simply looking for a spam relay they'll go to a softer target, but with persistence even this can be thwarted. However, you will have neutralized most of the advantages of automating the attack.
Beyond this you'll have to use some form of user auth I think.
EDIT: HTTP_REFERER is useless for this purpose. It and all $SERVER vars that start with HTTP are provided by the client and can be faked by a reasonably competent hacker.