FPE issue where all spam is missed

The most common reason we do not filter spam in FPE is that we honor the ms-exch-bypass-anti-spam permission on connectors.

The most common scenario is that the bypass is enabled for anonymous connections.

This is simple to fix with some PowerShell commands to remove the permissions from the connectors.

In exchange PowerShell.

Get-ReceiveConnector

Take the names you get and run
Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl

You are looking for this

You can then remove the right for bypass by running the following on any connector with the bypass right
Get-ReceiveConnector " Receive_Connector_name" | Remove-ADPermission -User "NT Authority\Anonymous Logon" -ExtendedRight ms-exch-bypass-anti-spam

Checking again with Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl shows that bypass has been removed from the rights for anonymous.

You can then do the same thing for each connector and recycle transport to make the changes take effect.