Yes, while it is impractical to white-list our callbacks by IP address. All of our callbacks have the user agent header of GrabzIt therefore you can use .htaccess or some other method to block all HTTP requests to your handler except from those with the GrabzIt user agent.
Here is an example for htaccess:
SetEnvIf User-Agent .*GrabzIt* grabzit Order deny,allow Deny from all Allow from env=grabzit
The callback is the only direct communication between our capture servers and your app. All other communication should go through our web servers.