The blacklisting option for inbound filters is not that useful as you can only react to malicous attempts to bloat your data. In the sphere of websites it is impossible to keep the API key private. While measures like rotating the key with deployments can mitigate the situation they will never solve the problem. What would solve the problem is a whitelist approach on the inbound filters. I know where I have my application deployed. I know which hosts should report. It is a one-time setup that I only have to adjust whenever I change my deployment locations.