I think you could give Apache's mod_proxy a try.

With a properly configured proxy, the "click bombing" would just return the same document, without calling the CGI.

I'm not sure if it would work with POST method, and you might have problems if you use authentication or sessions.