You can turn off authentication on the SMTP Instance, thus disabling the AUTH verbs for any external smtp access (for those not using 3rd party filtering), therefore disabling anyone attempting to send authenticated email. Everyone I know uses OWA/RWW, no need to leave authentication turned on for things that noone uses.
One of the ways to show IP access is view the WWW(\windows\system32\logs\w3svc) logs, but if you use windows mobile push email, then your www logs get filled with the phone access.
source: http://msmvps.com/blogs/bradley/archive/2007/11/30/a-little-bit-of-529-s.aspx