There are a number of options listed here:
http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

IMF, RBL's, and Recipient Filtering would be a good start.

If you want free anti-spam on Ex03 than IMF is the most obvious choice.

You will find many articles on IMF here:
http://www.exchangeinbox.com/category.aspx?c=3

Some articles that will get you started:

IMF SCL Configuration - getting it right
http://www.exchangeinbox.com/article.aspx?i=12&t=3

Welcome to IMF Regular Updates
http://www.exchangeinbox.com/article.aspx?i=42&t=3

Looking at IMF through the Performance Monitor
http://www.exchangeinbox.com/article.aspx?i=53&t=3

IMF Update Tips
http://www.exchangeinbox.com/article.aspx?i=66&t=3


Also I suggest you to use Recipient Filtering to reject spam to invalid
recipients.
Tar Pitting Directory Harvesting Attacks
http://www.exchangeinbox.com/article.aspx?i=49&t=3
--
Alexander Zammit
WinDeveloper Software
IMF Tune - Enable the Exchange 2003 IMF/Exchange 2007 Content Filter to
unleash its full power.
http://www.windeveloper.com/imftune/

This would seem to be an area that Exchange 2003 doesn't do, but which
would certainly take out a lot of spam. Tarpitting will help somewhat.
Use of a good RBL will stop quite a lot, and IMF will have some effect
on what's left, though a lot of spammers' effort goes into passing
content-based checkers like IMF and SpamAssassin.

Nearly all spam comes from infected home computers. Almost all either
have no reverse DNS, or reverse DNS which doesn't point to a
complementary A record, or whose reverse DNS lookups ('generic') contain
disguised IP addresses or strings like 'dhcp' and 'pool', which are easy
to spot. I also look for reverse DNS or HELO strings which resolve to a
number of two-letter country TLDs. You'd be surprised how much spam you
can reject by looking for your own IP address in the HELO. No imagination...

I get typically 2000 connections a day to my mail server (not Exchange),
of which about 100 are genuine and about three of the rest currently
make it through to my mailbox. That's without either content filtering
or RBL, that's just using the HELO, DNS lookups and tarpitting. I ask
for an ident reply, but I don't reject servers (mostly Exchange!) which
don't provide one, just make them wait 30 seconds. This discourages
about 25-30% of spammers and doesn't bother genuine mail servers. As it
happens, I don't run an ident server myself, but then I don't send much
email.

I would hope that Exchange 2007 has DNS lookup and testing facilities,
or that it develops them soon, as they are extremely effective. The
world isn't moving towards SPF very quickly, and while the majority of
large ISPs are fairly picky about accepting email, none of them seem
bothered about their own customers' computers sending spam, apart from
AOL of course. All the other 'difficult' email domains, Comcast, Yahoo
etc., turn up regularly in my logs.

My choice was always to put a server in front of exchange to serve as spam
filter and let exchenge deal with "clean" email.
I happen to use open source, however some of oour clients use GFI mail
essentials and surf control, which proved to be almost perfect.