Many small companies employ a service such as AppRiver to provide affordable messaging security, but not many take the time to properly secure their Exchange connectors afterwards.
A very common configuration for SMBs, particularly those running Microsoft Small Business Server, is to throw all the Exchange services on one box, forward ports 25, 80, and 443 to it, plug in your MX records, and call it a day. However, any experienced messaging administrator will tell you that it's a security concern to have your mailboxes sitting on the same server that has a publicly accessible SMTP service. Basically, you are inviting anyone and everyone to come put files on your server. Couple this with the fact that many businesses are running their servers with no messaging security component, such as Trend Micro's "Worry-Free Business Security Advanced" or Microsoft's Forefront for Exchange, and you have a recipe for quickly piling up unwanted mail, or worse.
Although a large enterprise might normally setup an edge server in a DMZ to receive mail, that's not a realistic option for the small business. So, in swoops a service such as AppRiver to save the day, providing you affordable hosted messaging security by acting as the middle-man for incoming (and usually outgoing) mail between you and the rest of the internet. Problem solved, right? Wrong. Normal, RFC-abiding mail servers may send all your mail to the secure hosted system you specified in those MX records starting with the lowest number, but not the wise spammer. He'll find port 25 open on your network and start spamming away, completely bypassing the filter. Here's how to avoid that and ensure your Exchange server only communicates with your filtering service.
Step 1: Lockdown Receive Connector
Fire up your Exchange console and drill down to Server Configuration > Hub Transport. You should already have one "Internet" connector there. Although Microsoft recommends you simply change this one, I like to leave it in place as a quick way to "re-enable" inbound mail from all sources should you ever need to.