On a pretty clean 2007 setup, I'm seeing A LOT of mail with senders such as :
0.0011a7f8@roman
htyme@14009d3cb93848c
0-lz@14009d3cb93848c
0-5-1@home-4fd909062d
0-td@h109-187-48-125.dyn.bashtel.ru
All with a spam level rating in the lower range, such as 1 and 2.
How can I make that ship tighter?
Even if the anti-spam feature is enabled, there is still an added option to enable Anti-Spam Updates that contact Microsoft for periodic spam signature updates (does not happen by default... or without a price; more on that later). It's located at Server Configuration >> Hub Transport >> Action Pane >> Enable Anti-Spam Updates. However, you will need one Exchange Enterprise CAL for each mailbox that is protected, and AFAIK there is no option to only protect some mailboxes. It's all or nothing and they're $15 with my non-profit discount. I can only imagine how expensive they are at retail pricing.
Furthermore, you might want to look into using a DNSBL. You can add those at Organization Configuration >> Hub transport >> Anti-Spam tab >> IP Block List Providers. I use zen.spamhaus.org and combined.rbl.msrbl.net which seems to do fairly well.
However, at the end of the day, nothing beats a real, dedicated anti-spam system. In spite of all the aforementioned built-in Exchange tools, I'm looking into using Postini for my filtering. Too much spam makes it through. You may have to look into a service like that or purchase an anti-spam filter like GFI MailDefense or get an appliance like a Barracuda.
The best way to tighten the Exchange ship is by hiding it behind a secure and reliable mail filtering service. As Wesley stated, one popular option is using a commercial filtering appliance.
If you're a do-it-yourselfer, have a look at filtering MTA such as Haraka. You'd use the rcpt_to.ldap plugin to validate Envelope Recipients and then forward the messages to your Exchange server using smtp_forward or outbound. The latter includes queueing, in case your Exchange server is down. I current use exactly this set up for several Exchange servers and it works well.
Since Node.js runs on Windows, it might be possible to run Haraka on a Windows server.
If you're willing to consider mature (re: old perl scripts) software for UNIX based systems, there's also ASSP (Anti-Spam SMTP Proxy) and qpsmtpd. Both are free, provide very robust filters, and are designed to drop in front of mail servers lacking adequate abuse defenses.
You haven't said if you've enabled the antispam feature, which afaik is not enabled by default. if you haven't follow this article:
