As Ovid correctly points out above, IP addresses and domains can be spoofed, so this won't add much security at all. The only reliable way for this to work would be on an intranet behind a firewall -- which would render the OP's question moot.

Limiting access by IP address will add enough security for his purposes. Sure, a determined hacker could spoof IP addresses and access the script. But a spammer's bot isn't that sophisticated. Blocking by IP address will stop them and is easy to implement. It should be implemented with web server access control instead of in the script.

Similarly, basic authentication would be helpful and easy to get working. Won't stop sniffing or brute-force search, but it will provide a little more security for leaving it open to the world.

He is using a Matt Wright script is probably a good idea too. Lack of access controls means anyone can post messages. Bad code can mean that anyone can do violenc to his machine.

He is using a Matt Wright script is probably a good idea too.

I can't parse that sentence, but are you saying it's a good thing that he's using an MSA script? I disagree strongly. Matt Wright has publicly stated that those scripts have problems and are insecure, that he wrote them when he didn't know much about programming or internet security.

But a spammer's bot isn't that sophisticated.

I wouldn't know, I've never written a spambot. ;-)

Basically, my point is that there are some good techniques described in this thread, and limiting by IP is a half measure at best. Use one of the better ones.