You are supposed to verify that you get your POST parameters from the source you expect it to come from. In the case of Paypal, let's use their Instant Payment Notification (or IPN) as an example.
Looking at their IPN docs, they suggest:
Check email address to make sure that this is not a spoof
However, more importantly, you should look at:
verify_sign = AtkOfCXbDm2hu0ZELryHFjY-Vb7PAUvS6nMXgysbElEn9v-1XcmSoGtf
Before you can trust the contents of the message, you must first verify that the message came from PayPal. To verify the message, you must send back the contents in the exact order they were received and precede it with the command _notify-validate, as follows:
This means that, when you receive an IPN to example.com/return.php page
, which can be at any time and not in the normal flow of a HTTP request / response that your end-user will be triggering, you then send this information back to PayPal and get them to verify that what you received was both correct and from them.
PayPal will then send one single-word message, either VERIFIED, if the message is valid, or INVALID if the messages is not valid.
So in your hypothetical example of someone sending spoofed data to your endpoint, PayPal would verify it as invalid anyway, and then you can go about what you need to do to make sure it doesn't happen again (logging, IPTables etc).