I wouldn't worry too much about misuse, since people could just visit the page hundreds of times anyway to achieve the same result - just make a post request to a javascript menu callback, and log from there.
I was concerned about that one could fabricate a post call and do it programmaticaly. Having validation at least requires semi-real visits from a JS capable browser and some automatization, which hopefully is a little bit more difficult to do on large scale than the fabrication. However it just dawned on me that I could just check for a session in the callback code, which should prevent most fabrications to work. Earnie: yes I looked at other alternatives, but none of them seems to give me the simple output of the standard access module, just more accurately (-bots). Thanks for the feedback, Balazs