The main reason Webmention is less susceptible to spam than Trackback is, is because with Trackback, there is no requirement that the comment text have its own URL. At least with Webmention, a spammer has to create a URL for the spam comment.
The webmention.io service sends a secret token in the payload so you can verify the request came from there.
That is what I kind of tackled above, I think: In practice, all blog engines will confirm that the URL the trackback points to actually contains a link to the site receiving the trackback. I see no practical difference there between the two protocols. But your use of comments and comment urls makes me think I might miss your point?
Thanks for opening the issue, I will add a comment and subscribe.
The main reason Webmention is less susceptible to spam than Trackback is, is because with Trackback, there is no requirement that the comment text have its own URL. At least with Webmention, a spammer has to create a URL for the spam comment.
The webmention.io service sends a secret token in the payload so you can verify the request came from there.