diff --git a/plume-common/src/activity_pub/inbox.rs b/plume-common/src/activity_pub/inbox.rs
index 9c714614..fdfec3e1 100644
--- a/plume-common/src/activity_pub/inbox.rs
+++ b/plume-common/src/activity_pub/inbox.rs
@@ -164,6 +164,11 @@ where
                     Some(x) => x,
                     None => return Inbox::NotHandled(ctx, act, InboxError::InvalidActor(None)),
                 };
+
+                if Self::is_spoofed_activity(&actor_id, &act) {
+                    return Inbox::NotHandled(ctx, act, InboxError::InvalidObject(None));
+                }
+
                 // Transform this actor to a model (see FromId for details about the from_id function)
                 let actor = match A::from_id(
                     ctx,
@@ -222,6 +227,29 @@ where
             Inbox::Failed(err) => Err(err),
         }
     }
+
+    fn is_spoofed_activity(actor_id: &str, act: &serde_json::Value) -> bool {
+        use serde_json::Value::{Array, Object, String};
+
+        if act["type"] != String("Create".to_string()) {
+            return false;
+        }
+        let attributed_to = act["object"].get("attributedTo");
+        if attributed_to.is_none() {
+            return false;
+        }
+        let attributed_to = attributed_to.unwrap();
+        match attributed_to {
+            Array(v) => v.iter().all(|i| match i {
+                String(s) => s != actor_id,
+                Object(_) => false, // TODO: Validate recursively"
+                _ => false,
+            }),
+            String(s) => s != actor_id,
+            Object(_) => false, // TODO: Validate Recursively
+            _ => false,
+        }
+    }
 }
 
 /// Get the ActivityPub ID of a JSON value.