For me, there are varying degrees of YIKES, including seeing people click on links in their referer logs... Why? Because your private stats pages can be tracked-back, too, you know:)
So let's see. About suspect referers and such --
Perhaps the following will give you some ideas/options, or even peace of mind if you have the mind-bogglingly wonderful (& just plain mind-boggling) mod_rewrite. (See WW's Apache Web Server Forum)
There are perfectly innocent reasons for a lack of referer headers, from bookmarks to hardware. Also, hiding referer headers is increasingly billed as a 'personal privacy feature' in software because others can't see where you've been (us server-protective log addicts being amongst the untrusted others. Alas.). The current crop of easily obtained software referer hiders includes Norton's "Privacy Control" component and (too) many Firefox extensions.
What to do if visitors are iffy?
Well, I redirect them via mod_rewrite (302) to a plain IP where they're met with a page indicating something's awry and urging them to e-me (address is a graphic) and include all the data on the page. The page captures and shows their UA, and IP/HOST info so it's a quick and easy way for me to troubleshoot.
FWIW, more times than not visitors reply along the lines of: "I'm a computer dummy. My (son, grandson, daughter, nephew, handyman, neighbor) installed everything on this machine for me..." I don't fret about those folks, but it is time-consuming to educate them about what to uncheck or undo.
The visitors I eyeball a lot more closely are those whose referer headers and/or UAs are obviously faked. Like visitors appearing to refer from Google but minus variables. Like the UA I saw yesterday:
Okay, so that was an easy one:) And probably someone just goofing around. But if they know enough to goof around -- to not just 'blank' a referer or UA but go a step further and actually swap in something else -- they may also know enough to be dangerous, either accidentally or on purpose. (Read: Script Kiddies.) Maybes get mod_rewrited (302) straight away and sometimes they end up e-mailing an apology!
3.) NO WAY
This is my YIKES category -- the visitors whose browsing behavior gets me to hang up the phone or set something else aside and hunker down in order to act quickly.
These include visitors with UAs allllmost akin to real ones and they can be tough to spot. But if a visitor has an iffy UA, and no referer info, and a suspect IP/Host, and/or they hit and run (home page; no graphics) or hit too quickly (1-3 pps), and/or trigger various hidden traps, then I immediately rewrite them (403) to yet another special page (where pertinent details are logged via "exec cmd") and see if I ever hear from them again. I don't, probably because real people aren't even at the other end.
(Aside: Notorious UAs, from e-mail suckers to site scrapers, are blocked from the get-go. Also, suspect hosts include a staggering number of Africa- and Asia-based IPs, and lately, the Netherlands. Those get coded into the firewall by the block-full.)
Yikes! That was a lot of unsolicited info:) Hopefully some of it will be helpful to somebody!