There is a "best practices" setting for the Internet Mail Service that are not enabled by default, but are key in preventing sapm and other mail-relaying offenses:
In the Property sheet for the Internet Mail Service, go to the 'Routing' tab. Under 'Routing Restrictions,' you will see the option to "Specify the hosts and clients that can route mail when the following conditions are met:." Place a check-mark next to "Hosts and clients that successfully authenticate." This will ensure that only SMTP mail that originates from a legitimate user account on your server will be permitted to route Internet mail. All usual caveats and warnings about making configuration changes to a production server apply.
This was first published in June 2002