no msft on routable addresses, no web apps on your email machine
The MSFT system wasn't designed (believe it or not) to be exposed directly to the Internet. If you must run MSFT applications on MSFT's OS, hide those machines on private IP addresses (10.0.0.0/8, 192.168.0.0/16) behind a firewall that performs network address translation. Don't just forward your Exchange server's inbound port 25 through that firewall, use a simple, manageable email server on a robust OS as a relay in both directions. Dedicate a *big* box if you're going to do your own virus scanning. Almost all of the hosts that try to send me spam are MSFT boxes directly exposed on routable addresses. Dedicate a second box as a Web proxy and spend money on an actively maintained scanner for hostile Web content. Don't let your MSFT workstations see straight through to the Internet unless you're prepared for the ongoing expense and random workflow interuptions malware brings. It's easier to keep it out than remove it. If you can't do that, keep your application data on shared network volumes and make all your workstations identical, so you can swap them out as they get hit.
Consider outsourcing email to a specialist, at least at first. If you run your own email instead, resist the temptation to run a Web server with dynamic applications on the same box. Most of the rest of the spam arriving here is from compromised Web application servers. Typical PHP applications are as bad as typical ASP. Your modern unix (Linux or BSD) running Apache and one of the standard mail servers is really hard to crack. But add some freeware CMS and you're throwing most of that security out the window.
If you must run one of those things, stop it
from sending email at the firewall.
