From the current spec:
- The verification process SHOULD be queued and processed asynchronously to prevent DDoS attacks.
- Receivers SHOULD moderate Webmentions, and if a link is displayed back to the source, SHOULD link to source with rel="nofollow" to prevent spam.
- Receivers MAY periodically re-verify webmentions and update them.
- If a receiver chooses to publish data it picks up from source, it should ensure that the data is encoded and/or filtered to prevent XSS and CSRF attacks.
This is well and good as far as it goes, but it's not enough to keep abuse from potentially sinking the whole thing in the not-too-distant future.