This is already well-known issue as a facebook message spoofing. Why? Because we can spoof mail header in a oldschool way :) For example this simple php script will do the job:
$to = 'facebookID@facebook.com'; $senderAddress = 'email@example.com'; $subject = 'Some subject'; $message = 'Some message'; $header = "From: $senderAddress\nReply-To: $senderAddress"; $mail = mail($to, $subject, $message, $header);This short video demonstrating above script in action:
PS. And yes, facebook is filtering and rejecting mails from facebook.com domain. If it didn't it would be devastating.