Add Spam check endpoint

What does this MR do?

Add a configurable Spam API endpoint, send it some data, and the SpamVerdictService can use multiple verdicts to determine if something is spammy looking.

This MR:

• Adds a configurable spam_check_endpoint that must be a valid URL to application settings
• Combines verdicts from Akismet and the custom spam endpoint, taking the more restrictive of each

n.b. I'm happy to split this MR into smaller MRs along the bullet points above.

The endpoint is only provided with a user ID at the moment, but that will change in a future iteration as that is developed further.

Database migration output

$ rake db:migrate:up VERSION=20200508050301
== 20200508050301 AddSpamCheckEndpointToApplicationSettings: migrating ========
-- column_exists?(:application_settings, :spam_check_endpoint_url)
   -> 0.0543s
-- add_column(:application_settings, :spam_check_endpoint_url, :text)
   -> 0.0016s
-- transaction_open?()
   -> 0.0000s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_d820146492\nCHECK ( char_length(spam_check_endpoint_url) <= 255 )\nNOT VALID;\n")
   -> 0.0035s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_d820146492;")
   -> 0.0012s
-- column_exists?(:application_settings, :spam_check_endpoint_enabled)
   -> 0.0484s
-- add_column(:application_settings, :spam_check_endpoint_enabled, :boolean, {:null=>false, :default=>false})
   -> 0.0368s
== 20200508050301 AddSpamCheckEndpointToApplicationSettings: migrated (0.1601s) 

$ rake  db:migrate:down VERSION=20200508050301
== 20200508050301 AddSpamCheckEndpointToApplicationSettings: reverting ========
-- column_exists?(:application_settings, :spam_check_endpoint_url)
   -> 0.0304s
-- remove_column(:application_settings, :spam_check_endpoint_url)
   -> 0.0015s
-- column_exists?(:application_settings, :spam_check_endpoint_enabled)
   -> 0.0283s
-- remove_column(:application_settings, :spam_check_endpoint_enabled)
   -> 0.0028s
== 20200508050301 AddSpamCheckEndpointToApplicationSettings: reverted (0.0632s) 

Screenshots

Application Settings -> Reporting -> Spam

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers
• Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team

Related to #118613