I wonder how many of those Facebook spam comments are entirely real accounts that've been compromised (access tokens and/or logins). Would make them even harder to detect.
You don't even need that. You just need a bunk chrome extension or local spyware and they can easily redirect the occasional FB comment through a remote infected node which is a real person, likely logged into facebook, of which they likely have access to hundreds of thousands. Let the person change their FB credentials all they want to try to get out of that.
