Check the Facebook setting "Who can look you up using the email address or phone number you provided?" if it is set to Everyone, change it.
If you friends list is set to public and the previous setting set to Everyone (default), spammers can look up your email address and then view your friends list to compose an email with their name. By changing this one setting you can prevent this.
I would also like to recommend the Chrome Extension www.PrivacyFix.com