RewriteCond %{HTTP_REFERER} ww\.theirsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} theirsite\.com [NC]
#RewriteRule .* - [F]
You don't want referer. You want hostname. And if you cribbed this code from someone else, never use their code again; it uses two lines to say what could be said in one. In fact the first Condition as written is completely redundant, since it's a subset of the second.
But don't you already have a domain-name-canonicalization redirect? The one that looks like this:
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
If you are content to just forcibly redirect requests from their site-- which is a pretty big neener-neener on its own-- that's all you need to do. If you want to disown any and all connection with the site, go to
RewriteCond %{HTTP_HOST} example\.biz
RewriteRule .? - [F]
Put this at the front of your RewriteRules, with any other [F] rules. Here example.biz is the offending site. Unlike your domain-name redirect, this version uses no anchors, because you want to be sure to grab everyone.
If it makes you happy you can replace the [F] part with a redirect to 127.0.0.1. Keep it with the [F] rules, because this redirect is functioning as a denial. Never redirect to an existing third-party site. This applies even to robots who don't follow redirects; here it's doubly Not Nice because we're talking about unsuspecting humans.
A final option is to redirect back to the offending site. But this will place a bit of a load on your server, since browsers make anywhere from 10 to 30 requests before throwing in the towel. (It's the equivalent of screaming
Wrong number! thirty consecutive times into the telephone-- while telling them to call the same number again.)
