Perhaps to combat this, unless I'm missing something, one could justifiably
deploy GRE filters with source & destination addresses of the exchange
subnets. Filtering GRE in general seems nothing more than foolish.
I posted an FYI on how to detect & prevent abuse by tunneling through exchange
points a while ago. I anyone is interested I'll post it again or perhaps
get it put up on the web.