I gave up and stopped using it (well, I didn't bother reimplementing it on one of my various blog engine rewrites).
If I were to implement pingback or webmention today I'd use a moderation queue with the ability to allow-list trusted domains so they get to skip moderation in the future.
I've implemented WebMentions in a project that uses it as a push notification system for websites that integrate our widget (which is just a <script> tag they include on their page). That kinda works: if you integrate the widget, you know you can expect WebMentions from https://plaudit.pub, and thus add it to an explicit allowlist.
Most POST spam is repetitive. It's very rare human POSTs are. If you filter out any POSTs that happen identically more than 3 times you remove most spam. It's not perfect but it makes it manageable. Of course this is a lot easier to implement if you batch process.
If I were to implement pingback or webmention today I'd use a moderation queue with the ability to allow-list trusted domains so they get to skip moderation in the future.