Disabled open relaying
Checked that there are no open ports
Installed Symantec MailSecurity
Updated all necessary security updates/patches from Microsoft
Disabled Guest account
What other loopholes are there?
The big loophole you have remaining is your password policy. I know that you are asking yourself "what does that have to do with spam?" Well, as it turns out, a great deal.
If a spammer can compromise a legitimate account in your company, it is possible for them to relay off of your SMTP servers using a SMTP AUTH attack. In simple terms, this means relaying mail (spamming) with a valid, albeit compromised, account.
The best protection against this is a strong password policy with strict enforcement of that policy. You might also consider implementing "passphrases" -- like 'You can't always get what you want' -- as they are easy to remember, yet extremely complex for a brut force attack to crack. Of course, if this has already occurred, then you need to enforce companywide password change, along with the stronger password policy.
I would also recommend that you periodically test your external SMTP host, with a tool such as telnet, to see if you can relay off it. This is important because you don't want to just take your Internet Service Provider's word for it. It is entirely possible that a spammer has hijacked your SMTP domain name and used it for sending out spam. Of course, if they do this, it looks like it came from your SMTP domain.
Doing an NSLookup on the IP address in the header of the spam will reveal, however, that it did not come from your servers. This is very common practice amongst spammers. And sometimes leads to the erroneous reporting of e-mail abuse to your Internet Service Provider. Most Internet Service Provider's will confirm that the mail is indeed from your servers before putting you on notice, but there is always that chance they won't do their due diligence.
MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:
I ran into the same issue. I struggled to find how the spam was getting through for a long time. Finally, I had to call PSS at Microsoft. It turns out that there is an exploit/bug in Exchange 2000 server that spammers can use to send e-mail to nonexistent addresses. When they get the non-delivery report, they modify headers to send spam. The only way to turn it off is to turn off NDRs for the Exchange server.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.