Spam messages from "friends"

One member of my site sent out 'Nigerian emails' to other members, via the site's message function.

I think this person was able to 'friend' them, and thus was able to send a message (and by default, an email) to any other member.

Can anyone confirm that is the way Elgg works? It certainly seems so.

Second, is the 'friend' relationship defined on the database regardless of who initiates? Thus, is "Stephen befriends Dhrup" the same as "Dhrup befriends Stephen?" If that's the same relationship on the database, then it would seem to be a big deal to change anything.

But, if the friend relationship is one-way ... then could we make a modification so that members could only send to other members who had friended them back, i.e. both relationships exist?