When someone sends an email, their computer communicates with your IMC using SMTP. Typically spammers' don't bother using any vlaid address in the "mail from:" command. If they did, they might get reported. SMPT in Exchange only requires a valid "rcpt to:" domain name.
For instance, let's say your domain is company.com and a spammer has one of your users' email addresses: joeblo@company.com. When they hit your IMC via port 25 (SMTP), they use the leave the mail from blank, and the rcpt to: with the username. If the spam just points at a web site or 800 number, why bother to risk getting bounced or complaint emails. In fact, so they don't get black-holed by ORBZ.org, they typically relay off someone's unsecured SMTP server. Here's the test:
Your domain is company.com
Your server is 64.64.64.64
Start up telnet session: Your command prompt will work fine.
C:> telnet
open 64.64.64.64 25 (the 25 is SMTP port)
mail from: leave this blank
rcpt to: joblo@company.com
text
write any message, then hit enter, a period, then enter.
That's it. The user will get the email with the from looking like <>. Exchange's SMTP allows this no matter how much I hate it. Anybody have a good solution?