Each application gets a unique URL, that is supposedly kept secret from any other party. They are also very easy to rotate, as the specification advises to ask for a new one (that could be the same) on every app launch.

Moreover, when something is sent to that URL, it gets forwarded to the application, which then interprets it before displaying a notification (for most apps).

By spam, I think you meant someone sending messages to random people's notification area. No, this is highly unlikely.