In our Exchange 2010 environment (combined with forefront anti-spam) there was 1 user who kept on receiving spam. The spam originated from his own email address and got the tag SenderOnRecipientSafeList.

This was caused by the fact that our Receive Connector had the permission ms-Exch-SMTP-Accept-Authoritative-Domain-Sender. This right basically tells the exchange server: “accept mail from users that tell you to be from that you are authorative for”.

With a powershell command you can remove this right from the receive connector.

remove-ADPermission -Identity <connectorName> -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

note: <ConnectorName> is the name of the connector that is accepting your internet inbound mail.

Your Internet Inbound connector can be found under: Server Configuration\Hub Transport\Receive Connectors.
You can enable logging on this Connectors by opening the properties and on the general  tab you can set the [Protocol Logging Level] to “Verbose”.

Off course you also want to know where you can find the log files. You can find the path by opening the properties of your Server Configuration (in the Action Pane), the tab [Log Settings] has the path to your “Send Protocol Log Path”