Exchange Server 2007 Edge Transport server and Hub Transport servers with the Exchange Anti-spam features installed may report event ID 454 and 17003 if the Sender Reputation database becomes corrupt.

The Sender Reputation feature of Exchange Server 2007 is described here:

Sender Reputation is anti-spam functionality that is enabled on computers that have the Microsoft Exchange Server 2007 Edge Transport server role installed to block messages according to many characteristics of the sender. Sender reputation relies on persisted data about the sender to determine what action, if any, to take on an inbound message.

If the Sender Reputation database becomes corrupt you may find the Microsoft Exchange Transport service has stopped and the Application Event Log contains the following sequence of events.

Event Type: Error
Event Source: ESE
Event Category: Logging/Recovery
Event ID: 454
Date: 28/02/2008
Time: 9:32:20 AM
User: N/A
Computer: SERVER
Description:
edgetransport (4568) Sender Reputation Database: Database recovery/restore failed with unexpected error -515.

Event Type: Error
Event Source: MSExchangeTransport
Event Category: Storage
Event ID: 17003
Date: 28/02/2008
Time: 9:32:20 AM
User: N/A
Computer: SERVER
Description:
Sender Reputation Database: An operation has encountered a fatal error. The database may be corrupted. The Microsoft Exchange Transport service is shutting down. Manual database recovery or repair may be required. Exception details: Microsoft.Exchange.Isam.IsamInvalidLogSequenceException: Timestamp in next log does not match expected (-515)
at Microsoft.Exchange.Isam.?A0×051b51e0.HandleError(Int32 err)
at Microsoft.Exchange.Isam.Interop.MJetInit(MJET_INSTANCE instance)
at Microsoft.Exchange.Transport.Storage.DataSource.InitInstance()

Event Type: Information
Event Source: MSExchangeTransport
Event Category: Components
Event ID: 7001
Date: 28/02/2008
Time: 9:32:20 AM
User: N/A
Computer: SERVER
Description:
The service will be stopped. Reason: A failure occurred in a transport database operation.

The Sender Reputation database is located in C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\SenderReputation (if you have installed Exchange to the default location). The database file is the pasettings.edb file, a JET database, and as such you can use ESEUtil.exe to attempt repair or recovery.

An integrity check is usually the first thing to run:

[PS] C:\>eseutil /g “C:\Program Files\Microsoft\
ExchangeServer\TransportRoles\data\
SenderReputation\pasettings.edb”   

Extensible Storage Engine Utilities for Microsoft(R)Exchange
Server Version 08.01
Copyright (C) Microsoft Corporation. All Rights Reserved.   

Initiating INTEGRITY mode…
        Database: C:\Program Files\Microsoft\Exchange
Server\TransportRoles\data\SenderReputation\
pasettings.edb
  Temp. Database: TEMPINTEG6436.EDB   

Checking database integrity.   

The database is not up-to-date. This operation may find
that this database is corrupt because data from the
logfiles has yet to be placed in the database.   

To ensure the database is up-to-date please use the
‘Recovery’ operation.

You can attempt a recovery of the database:

[PS] C:\Program Files\Microsoft\Exchange Server\
TransportRoles\data\SenderReputation>eseutil /r /a trn   

Extensible Storage Engine Utilities for Microsoft(R)Exchange
Server Version 08.01
Copyright (C) Microsoft Corporation. All Rights Reserved.   

Initiating RECOVERY mode…
    Logfile base name: trn
            Log files:
         System files:    

Performing soft recovery…
                      Restore Status (% complete)   

      0    10   20   30   40   50   60   70   80   90  100
      |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|   

Operation terminated with error -566 (JET_errDbTimeTooOld,
dbtime on page smaller than dbtimeBefore in record) after0.281
seconds.

If the recovery fails a repair can be attempted:

[PS] C:\Program Files\Microsoft\Exchange Server\
TransportRoles\data\
SenderReputation>eseutil /p pasettings.edb   

Extensible Storage Engine Utilities for Microsoft(R)Exchange
Server Version 08.01
Copyright (C) Microsoft Corporation. All Rights Reserved.   

Initiating REPAIR mode…
        Database: pasettings.edb
  Temp. Database: TEMPREPAIR1968.EDB   

Checking database integrity.   

The database is not up-to-date. This operation may find
that this database is corrupt because data from the
logfiles has yet to be placed in the database.   

To ensure the database is up-to-date please use the
‘Recovery’ operation.   

                     Scanning Status (% complete)   

      0    10   20   30   40   50   60   70   80   90  100
      |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
      ……………………………………………   

Scanning the database.   

                     Scanning Status (% complete)   

      0    10   20   30   40   50   60   70   80   90  100
      |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
      ……………………………………………   

Repairing damaged tables.   

                     Scanning Status (% complete)   

      0    10   20   30   40   50   60   70   80   90  100
      |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|   

Deleting unicode fixup table.
……………………………………………   

Repair completed. Database corruption has been repaired!   

Note:
  It is recommended that you immediately perform a full
backup of this database. If you restore a backup made
before the repair, the database will be rolled back to
the state it was in at the time of that backup.   

Operation completed successfully with 595 (JET_wrnDatabase
Repaired, Database corruption has been repaired) after
7.656 seconds.

Though this may report success, and further integrity checks show the database to be healthy, you may still find the Microsoft Exchange Transport service will not start. In these cases you can delete the files in C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\SenderReputation. When the Microsoft Exchange Transport service is next started it will build a new Sender Reputation database.

Here is the anti-spam configuration on an Exchange Server 2007 RTM server:

[PS] C:>Get-AntispamUpdates   

UpdateMode                  : Automatic
LatestContentFilterVersion  : 3.3.4604.600
SpamSignatureUpdatesEnabled : True
LatestSpamSignatureVersion  : 3.3.4604.600
IPReputationUpdatesEnabled  : True
LatestIPReputationVersion   : 3.3.4604.001
MicrosoftUpdate             : NotConfigured

And here is the same Exchange Server 2007 server immediately after upgrading to Service Pack 1:

[PS] C:>Get-AntispamUpdates   

UpdateMode                  : Disabled
LatestContentFilterVersion  : 3.3.4604.600
SpamSignatureUpdatesEnabled : False
LatestSpamSignatureVersion  : 3.3.4604.600
IPReputationUpdatesEnabled  : False
LatestIPReputationVersion   : 3.3.4604.001
MicrosoftUpdate             : NotConfigured

The Service Pack 1 installation disabled the Anti-spam engine updates. This stung me on a production system that I upgraded shortly after the SP1 release. Eventually someone in the office mentioned the ever increasing volume of spam emails to me and I subsequently made this discovery.

Sadly the Release Notes do not seem to include this issue.

Last week I wrote a post on what is missing from Exchange Server 2007 Anti-Spam.  A short time afterwards Evan Dodds wrote back to me with an answer to the issue.

One could write a simple script to check what updates are available on MU in certain categories, etc. Sample VB script code is available on MSDN.

Nothing in the product though…

The update service looks up for updates and reports errors in downloading, etc.

The sample VBS code he refers to is this one.  Trimming it down to just the essential code for this task, I came up with this:


Set objSearcher = CreateObject("Microsoft.Update.Searcher")
Set objResults = objSearcher.Search("Type='Software'")
Set colUpdates = objResults.Updates
For i = 0 to colUpdates.Count - 1
Set objCategories = colUpdates.Item(i).Categories
For z = 0 to objCategories.Count - 1
If objCategories.Item(z).Name = "Exchange Server 2007 Anti-spam" Then
   Wscript.Echo "Title: " & colUpdates.Item(i).Title
End If
Next
Next

When executed on an Exchange Server 2007 box it produces output like this.


[PS] C:\Admin\Scripts>.\updatescript.vbs
Title: Microsoft Exchange Server 2007 Enterprise Anti-spam Filter Updates v3.3.6009.660
Title: Microsoft Exchange Server 2007 Enterprise Block List Updates v3.3.6009.047
Title: Microsoft Exchange Server 2007 Enterprise Anti-spam Signatures v3.3.6009.915

I can then run Get-Antispamupdates to compare the Microsoft Update data to what is currently installed on the server.


[PS] C:\Admin\Scripts>Get-AntispamUpdates
UpdateMode                  : Automatic
LatestContentFilterVersion  : 3.3.6009.660
SpamSignatureUpdatesEnabled : True
LatestSpamSignatureVersion  : 3.3.6009.915
IPReputationUpdatesEnabled  : True
LatestIPReputationVersion   : 3.3.6009.047
MicrosoftUpdate             : Configured

And that tells me whether my Exchange server is up to date for anti-spam signatures.

Now that the solution is more apparent I am working on wrapping this into a single script that can be executed from a single server to report on all Hub Transport servers in the organisation.

I’ve been searching all over the Microsoft website for a KB article, Technet article, or any other page that will list the current version of the various Exchange Server 2007 anti-spam signature releases.

I realise that in any given day these can update dozens of times, but it is still a bit frustrating not having a page to refer to (or to scrape with a script) and compare with the current versions on the server when investigating reports of spam reaching mailboxes.

I’ve written to a few Microsoft staff and non-Microsoft experts in the Exchange field and haven’t found an answer to this yet. If anyone happens to know more about it please drop me a line or leave a comment here.

Update 05/12/07 - a solution has come my way via email, details to come.

Update 10/12/07 - click here.