I have an exchange server that does not have an open external relay, as tested by mxlookup.com. External unauthenticated users can not send email to people outside of our domain. This is correct.
But what IS happening is that external, unauthenticated users can relay to internal users IF they spoof their FROM address and claim to be from any user within our domain. And so we are getting a lot of spam / phishing because of it. How do I disable this?