Spammers bypassing MX records direct to the server

Huh?

How can you tell from the logs how a spammer determined your IP address? Was the email delivered via an address you have listening on port 25 but not pointed to by an MX record?

Correct: All my emails come trough trend micro and for spam emails i can see the email is delivered direct to My IP.

2 Samples below

Spam Email
Received:  by Server Name (192.168.75.3) with Microsoft SMTP Server (TLS) id
 15.0.1130.7; Wed, 20 Jan 2016 10:47:27 +1100
Received: from 64.203.220.232.dyn-cm-pool-29.pool.hargray.net (64.203.220.232)
 by MyServer.local (192.168.75.3) with Microsoft SMTP Server id
 15.0.1130.7 via Frontend Transport; Wed, 20 Jan 2016 10:47:24 +1100

Non Spam Email:
Received: from iout2.hes.trendmicro.com (54.219.191.112) by
 MyServer.local (192.168.75.3) with Microsoft SMTP Server (TLS) id
 15.0.1130.7 via Frontend Transport; Wed, 20 Jan 2016 10:43:38 +1100

Do you allow a direct connection to your server for employee and support access?  That is, direct instead of VPN?

Sorry John, i did not get your question.

With direct access do you mean Outlook anyware?
Outlook anyware : yes

How do you access your servers from a remote location?

https://www.spamhero.com/support/84483/Configuring_Microsoft_Exchange_to_only_accept_email_fro.php

Malmensa: Thanks, i agree,, i am working on that now.
We have a Cisco router and no firewall.. Just trying  to figure that out..

If you just have a Cisco router, then use an ACL to do what Malmensa recommended

Yep, either an ACL on the router, or reconfig of Exchange should work just fine.

@ Malmensa: could you please shed some light on the Exchange configuration if possible.
Thanks

no one pointed out the solution of remove the backup MX records