Only if they’re using Postfix to send mail. If they’re abusing a web application to send using their own MTA implementation, it will not go through Postfix, and any limiting you do in Postfix will do nothing.
OP isn’t willing to take a few minutes to figure out how their system is being abused, so there is no simple answer for how to fix it.