Excessive SPAM on Exchange server

We are averaging around 22-25% of SPAM on our Exchange 2010 server.  Is there a best practices document for locking down Exchange (receive connector, smarthost, reverse DNS, etc)?  Not an open relay, but think server is not as tightly secured as it needs to be.  We are using Trend Micro's Antispam along with the built-in Spam filter that comes with Exchange.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Giovanni HewardCommented:
Enable IP Block List Providers:

        Provider name: SpamCop
            DNS suffix: bl.spamcop.net
            Custom error message: {1} has blocked your IP address ({0}) using list '{2}'.  Please see http://www.spamcop.net/w3m?action=checkblock&ip={0} for further information.

        Provider name: SpamHaus
            DNS suffix: zen.spamhaus.org
            Custom error message: {1} has blocked your IP address ({0}) using list '{2}'.  Please see http://www.spamhaus.org/query/bl?ip={0} for further information.
I QasmiTechnical LeadCommented:
Try enabling the all the antispam features on the server.

Also it would be better if you implement a transport rule in such a way

That messages from users outside the organisation to the users outside the organisation

set the status as reject as spam will do the work for you.
WebccAuthor Commented:
Have the antispam filtering installed on the transport server.  Seems that they work better if you have an Edge transport server.  Will try to setup IP Blocklist providers.  Hopefully, they will work.  
How should the Receive connectors be setup optimally?  
Have just the default and client connectors.  

Default:  Authentication tab --> TLS, Basic, Exchange Server and Integrated are selected.
               Permissions tab -->  Everything selected except Partners
Client:    Authentication tab -->  TLS, BASIC and Integrated are selected.
               Permission tab -->  Everything selected except Partners

We have an SSL cert for our site.
Simon Butler (Sembee)ConsultantCommented:
The antispam fitlers on an internal server are not different to those on the Edge filter.
Don't change the receive connectors, they will have nothing to do with the level of spam that you have on the server.
Do you have recipient filtering enabled?

IP Block Lists are fine, as long as you are happy with someone else (who is not covered by any law) to decide what email you can receive.

How are you identifying "We are averaging around 22-25% of SPAM". Do you mean that 25% of your email is spam? If so you are doing well, I have clients where it is 80-90% - I have one where statistically 100% of their email is spam (the legitimate email is a rounding error).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.