We upgraded from Exchange 2010 to 2013 about 6 months ago and are very disappointed. We were running Forefront protection for Exchange on the 2010 server, and had little to no spam every. Now with 2013 we are getting a ridiculous amount of spam, including clearly spoofed phishing emails. The most recent are from 'support@salesforce.com' with an attached zip. We get about 4-5 of those a day, and since we do use salesforce, I can't just block the address/domain.
I have followed the TechNet guide, and enabled all of the antispam features with the Exchange management shell. I have enabled the senderIDConfig, and have it set to delete spoofed domains. The reverse dns check is working, as it shows the status on the messages that are sent to quarantine. We also have the content filter enabled, and every day I have to go through the spam and add keywords it actually blocks something.
So how is it that spoofed messages are still making it through? I have checked salesforce and they have their SPF records setup, so it should not be hard for Exchange to see the mail did not originate from any of the IPs in the list. We are seriously considering moving back to our exchange 2010 server....
