Spam sent from web

Do you have any idea how to prevent this?
The only way you captcha on the site with page?
PHP can be secure and enforce additional authorization?

Fragment of my postqueue:

Code:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
8FBF9304815* 3453 Sun Oct 13 12:46:08 web35@prime.pl
gioia.pisano@ey.com

540EE30480D* 3446 Sun Oct 13 12:46:07 web35@prime.pl
ginobianchini@ey.com

29F7B30BF17* 3466 Mon Oct 14 08:13:26 web35@prime.pl
kmarcoux@maildomination.com

75484305A84* 3453 Sat Oct 12 21:33:37 web35@prime.pl
support@kongu.com

9C2EE303DAB* 3472 Sat Oct 12 13:23:59 web35@prime.pl
thebjohnstons@sbcglobla.net

58CF7304808* 3451 Sun Oct 13 12:46:06 web35@prime.pl
gino.sasso@ey.com

020F830D0B1* 3444 Mon Oct 14 07:30:25 web35@prime.pl
saccentev@coned.com

00B6D305742* 3441 Sat Oct 12 23:30:59 web35@prime.pl
Mulee@compaq.net

DB88930D0D3* 3450 Mon Oct 14 07:30:22 web35@prime.pl
sablianj@coned.com

A263D30A5BE* 3438 Mon Oct 14 02:21:03 web35@prime.pl
roger@villa.com

ED5AB30D08D* 3454 Mon Oct 14 07:30:25 web35@prime.pl
saddiesmith@coned.com

611AD30481A* 3443 Sun Oct 13 12:46:02 web35@prime.pl
ginny.hoce@ey.com

F3F9130D0A6* 3439 Mon Oct 14 07:30:21 web35@prime.pl
sabinoaa@coned.com

D322930D0AC* 3440 Mon Oct 14 07:30:23 web35@prime.pl
sablod@coned.com

mail.log:

Code:

Oct 10 09:53:29 prime postfix/qmgr[2954]: C5E0F1287ED4: from=<web35@prime.pl>, size=4842, nrcpt=1 (queue active)
Oct 10 09:53:29 prime amavis[27159]: (27159-09-23) Passed CLEAN {RelayedOpenRelay}, <web35@prime.pl> -> <2052124@compass-group.co.uk>, Message-ID: <20131010075322.892481287EE7@prime.pl>, mail_i
Oct 10 09:53:30 prime postfix/local[27848]: 1C8BB1287ED8: to=<web35@prime.pl>, relay=local, delay=0.03, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 10 09:53:30 prime postfix/local[27848]: 742271287ECF: to=<web35@prime.pl>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 10 09:53:33 prime postfix/local[27848]: 8CB2F1287ECD: to=<web35@prime.pl>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 10 09:53:33 prime amavis[27159]: (27159-09-25) Passed CLEAN {RelayedInbound}, [74.125.83.66]:46601 [74.125.83.66] <> -> <web35@prime.pl>, Queue-ID: 187C71287ED1, Message-ID: <089e01681ba4d5fad104e
Oct 10 09:53:33 prime postfix/smtp[27036]: 187C71287ED1: to=<web35@prime.pl>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=25, delay=8.5, delays=0.12/4.9/0/3.5, dsn=2.0.0, status=sent (250 2.0.0 from MT
Oct 10 09:53:38 prime amavis[27873]: (27873-02) Passed CLEAN {RelayedInbound}, [212.188.178.246]:52393 [212.188.178.246] <> -> <web35@prime.pl>, Queue-ID: 2ECCD1287ECD, Message-ID: <20131010075332.DB7
Oct 10 09:53:38 prime postfix/local[27848]: 0F0981287ECE: to=<web35@prime.pl>, relay=local, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Oct 10 09:53:38 prime postfix/smtp[26447]: 2ECCD1287ECD: to=<web35@prime.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9, delays=0.19/0/0/3.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0
Oct 10 09:59:55 prime postfix/qmgr[2954]: E5D961287ECC: from=<web35@prime.pl>, size=4860, nrcpt=1 (queue active)

 

We started to block ALL email (@gw) from web-servers that tried to send email directly out. This requires (external) SMTP accounts for ALL web-sites on these servers.

Basically this is a lot more work but so far we have not figured out a way to do this smarter.

 

mail.add_x_header - Adds an extra header to the e-mail showing which script made the call to mail()

=> http://php.net/manual/en/mail.configuration.php

 

reviving this old thread as I have a related question:

so assuming I've mostly secured outgoing emails, what about the occasional ones that slip through? I mean they bounce back into something like web35@prime.pl (just picking up the above example) which means they'll never reach me or the client.

Would it not be possible to setup a catch-all which redirects all webXX to the client who owns that particular web?