How are they doing what they do? How could a spammer get to know Mirrorshades protocol to send a false referrer report (which is not the Referer header) in an AJAX request?
At least some of them appear to use a more general-purpose method than that. They actually load pages and execute scripts with document.referrer and the Referrer header faked-up. Though it's presumably more resource-intensive, it has the benefit of working for a wide variety of analytics setups, both hosted and server-side.
Oh, right, they just got document.referrer, I had forgotten about that.
What if the analytics server actually parsed the referring page to see if there's a real link there and only confirm the referrer after that? Isn't there a third party service that checks these things?