I'd use $ENV{'HTTP_REFERER'} too. This way you can check if the request came from an allowed source (your server and your previous page) or not. It's not 100% trustable... but it's one more barrier.

Something like this:

my $allow;
$ENV{'HTTP_REFERER'} eq "MY_SERVER_MY_PAGE" ? $allow = 1 : $allow = 0;
[download]

To add some more difficulty to the proccess of injecting trash into your forms you could use session-variables and/or cookies.

the problem with blocking IPs is you never know who's behind the computer. Could be a legitimate person, trying to buy something, or could be a smart guy trying to ruin your business.