That seems like the best way. Each request doesn't result in an immediate transaction but instead just enters into a queue. You look at the queue and see if the requests look suspicious before approving them manually. Designed right it wouldn't be foolproof, but it could be handled entirely by one person - they'd just have a list like IP, account name, time, and a checkbox (and select/deselect all buttons), say 100 items per page, and could just approve or deny them en masse.
There is risk of denying a legitimate request that happens to be in the middle of a ton of spam, but just add a note to the page explaining this risk. People shouldn't be too upset that someone who's giving away free money might miss their request. :p

For those suggesting Javascript games and such, you should know that the browser is no more than a user interface. Whatever you achieve in the game, the browser has to report back to the server - a bot can just tell the server anything it wants. So the only secure mechanism is to make it work similar to mining, where the client - be it a browser or a bot - has to do several minutes' worth of computation to figure out a valid response to send to the server, and each response is only valid once.

It's worth noting though that in my experience, browsers and OSes of all types suck at limiting CPU usage by Javascript, and a script doing heavy computation like that can bog down the entire machine. So it's not a really user-friendly solution... :/