Webmentions are a spammer's wet dream. There is a reason they were adopted only by the Indieweb crowd.
Anyway, my point was less "ActivityPub can do everything people can do with RSS" and more "having a mechanism to for bidirectional authenticated messages opens up the possibility of new applications".
The real interesting part will happen when/if more developers realize that ActivityPub can do more than "federated versions of popular social media platforms".
I might be misunderstanding what you're saying here. How is ActivityPub more authenticated than Webmention? WM requires the poster to host their content on a website. This is exactly what the AP spec says to do. Now, since the spec was published, most AP implementations also support HTTP signatures[0], but this doesn't provide additional guarantees that you can't get with WM. The authentication is still tied to a URL.
As far as spamming goes, I don't see how WM is any worse than AP. In both protocols your only options are passlists and/or blocklists.
[0]: And an old version that doesn't have an official spec. ActivityPub's issues with spec stagnation and de facto standards is a whole other thing.
I haven't dug into these, so apologies for the naive question, but for a multi-tenant service like WordPress.com, can you effectively limit which WordPress blogs can WebMention you? If the allowlist is formed on the domain, this seems limiting.
Perhaps more advanced URL regex can achieve more fine-grained control but I do still see advantages in pubkey auth (especially if people want to move their content.)
Still, I do find myself wishing for a lighterweight-than-ActivityPub middleground.
Webmention receivers can filter on whatever parts of a URL they want to. Maybe a WordPress implementation limits this to the domain? But as far as the spec goes, the receiver just gets a `source` parameter that's a URL. They can then decide to allow that (based on the domain, or any other characteristic they want) and at that point they check that URL to see if the document there contains the link that it's supposed to.
You're right, in default configurations ActivityPub definitely has an advantage here, since HTTPsigs are tied to users, not instances, which gives finer grained blocking. I'm not aware of anything like this for Webmention.
I suspect this is because WM is used far less than AP. It also grew out of a community (IndieWeb) where having your own domain is a core tenet.
I think something like Mastodon could work with WM though, since all URLs hang off of user URLs, so you could block by URL prefix, ie "block https://example.com/user1/*".
Spammers would have to host a page (permanently) that links to your post, and even then they don't get to control what (if anything) from that page gets displayed on your site.
I guess one danger is that they only serve the page that contains your link to the webmention-validating request. That way they get a backlink but don't have to keep a public outgoing link. They'd have to know that a given request is that validation though, and I'm not sure that'd be very easy.