Software that is not reachable, can't be hacked. Easy as that. So if you have an cloud-based anti-spam/anti-virus filter, you can block your smtp server for badguys.
In my situation, I'm using a Windows 2008 SBS server with Exchange 2007.
- Start wf.msc
- Go to inbound rules
- Find MSExchangeTransportWorker and double-click it to open the properties
- On the tab "scope", select "These IP addresses" and add the following IPs: 'Local subnet', 127.0.0.0/8, 192.168.0.0/16, fe80::/16
- Also add the IPs of your anti-spam servers as well
- Then click OK
- Don't forget to check that the changes actually work by both checking an IP that can connect and one that doesn't