We should realize that any technology without controls will be taken advantage of. There's a reason we've moved away from insecure default logins, unauthenticated admin portals and allowing apps to do whatever they want - those things have all been abused.
Security must start in the design. Spam killed pingbacks, and unless Webmentions design with that flaw in mind they're doomed to the same end.
I agree, but I think it's also worth learning from past experiences. Pingbacks do create a significant spam problem. How does Webmention.io cope with that?
Based on experience with Pingbacks, the Webmention specification requires the sending site to have a mentioning URL on a publicly available web page. This requirement by itself cuts down significantly on spam as it increases the cost of sending it. (Pingbacks/Trackbacks didn't have this requirement so it was easy to programmatically spew spam in all directions.) In addition to this, there's no requirement to show the received Webmention, so there's less benefit to some spammers in these cases.
Many people who do receive and display them have separate mechanisms to moderate them before display, which also tends to minimize spam. Other sites that support Webmentions also dovetail with anti-spam services like Akismet which can help filter out spam out as well.
And this is all without anyone adding the Vouch extension to the Webmention spec.
Keep in mind that webmention.io is just a third party service to allow sites to use and leverage Webmention notifications without needing to write any code. Many major CMSes like WordPress, Drupal, Craft, WithKnown, et al. either support the spec out of the box or with plugins/modules. Each of these can also leverage anti-spam methods they have available separately. As an example of this, the WordPress plugin has an allow list for automatically approving webmentions from sites one regularly communicates with.
The idea of Webmentions has been around for almost a decade, and the spec has been a W3C recommendation since 2017. Only one suspected case of Webmention spam has been reported in the wild in that time. I'd conservatively estimate that with 10,000+ independent websites sending/receiving over 2 million Webmentions in the past several years, it's not a bad start. For more details, ideas, and brainstorming for your potential use-cases see also: https://indieweb.org/spam
> Based on experience with Pingbacks, the Webmention specification requires the sending site to have a mentioning URL on a publicly available web page. This requirement by itself cuts down significantly on spam as it increases the cost of sending it. (Pingbacks/Trackbacks didn't have this requirement so it was easy to programmatically spew spam in all directions.)
It wasn’t required for spec. conformance, but it was recommended by the spec. and implemented by all the early implementations.
> Upon receiving a request, servers MAY do what they like. However, the following steps are RECOMMENDED:
> The server MAY attempt to fetch the source URI to verify that the source does indeed link to the target.
Cross that bridge when you get there. If nobody uses, there's no problem. If so many people are using it that it attracts spam, then the users can decide how to solve it at that point in time.
Spam was my first thought as well. Back in the golden age of blogging, I loved getting pingbacks on my posts, but the ecosystem became flooded with spam to the point that anybody old enough to remember what pingpacks are will automatically associate them with spam. It'd be nice if this service could address this concern, which lots of people will have immediately, and it appears they do via a plugin, as mentioned in another comment.
Since this is a centralized-ish service, it'd be good if they could perhaps address this at the hub-level.
The spam problem helped kill independent blogging by driving bloggers to centralized hosting.
The great thing about MovableType, b2, and eventually WordPress was that pretty much anyone could install it on a shell account and set up a fairly sophisticated publishing system. The lousy thing about MT and WordPress was that it was fairly easy to write automated tools to spam comments and trackbacks and now your unsophisticated bloggers were trying to become DBAs and understand the nuanced differences between MyISAM and and InnoDB tables and locking and…oh…it was easier to migrate to blogger and TypePad and eventually Tumblr/Facebook.
No, if you build without spam prevention you end up with a situation where you have to retrofit it, annoying legitimate users and having a huge fight over control.
Or it drowns in spam and everyone quietly drops it .. or it never takes off at all. Shrug
