Sometimes an insecure configuration allows spammer to use the www-data user to send emails with you postfix server.
Normally this is the case, when you get a bunch of error email from your mailserver, that some emails from firstname.lastname@example.org could not be delivered.
To be sure, that this situation cannot exist, you can add the www-data user to a block list:
In /etc/postfix/main.cf just add
authorized_submit_users = !www-data, static:all
and restart you postfix server.
You will now get a lot of error in you log like this one:
postfix/sendmail: fatal: User www-data(33) is not allowed to submit mail
After some time, the spammers will hopefully loose interest in you server :-).