diff --git a/plume-models/src/inbox.rs b/plume-models/src/inbox.rs
index 71bc5398..1ffcc763 100644
--- a/plume-models/src/inbox.rs
+++ b/plume-models/src/inbox.rs
@@ -173,6 +173,36 @@ pub(crate) mod tests {
         });
     }
 
+    #[test]
+    fn spoof_comment() {
+        let r = rockets();
+        let conn = &*r.conn;
+        conn.test_transaction::<_, (), _>(|| {
+            let (posts, users, _) = fill_database(&r);
+            let act = json!({
+                "id": "https://plu.me/comment/1/activity",
+                "actor": users[0].ap_url,
+                "object": {
+                    "type": "Note",
+                    "id": "https://plu.me/comment/1",
+                    "attributedTo": users[1].ap_url,
+                    "inReplyTo": posts[0].ap_url,
+                    "content": "Hello.",
+                    "to": [plume_common::activity_pub::PUBLIC_VISIBILITY]
+                },
+                "type": "Create",
+            });
+
+            assert!(matches!(
+                super::inbox(&r, act.clone()),
+                Err(super::Error::Inbox(
+                    box plume_common::activity_pub::inbox::InboxError::InvalidObject(_),
+                ))
+            ));
+            Ok(())
+        });
+    }
+
     #[test]
     fn create_post() {
         let r = rockets();
@@ -214,6 +244,42 @@ pub(crate) mod tests {
         });
     }
 
+    #[test]
+    fn spoof_post() {
+        let r = rockets();
+        let conn = &*r.conn;
+        conn.test_transaction::<_, (), _>(|| {
+            let (_, users, blogs) = fill_database(&r);
+            let act = json!({
+                "id": "https://plu.me/comment/1/activity",
+                "actor": users[0].ap_url,
+                "object": {
+                    "type": "Article",
+                    "id": "https://plu.me/~/Blog/my-article",
+                    "attributedTo": [users[1].ap_url, blogs[0].ap_url],
+                    "content": "Hello.",
+                    "name": "My Article",
+                    "summary": "Bye.",
+                    "source": {
+                        "content": "Hello.",
+                        "mediaType": "text/markdown"
+                    },
+                    "published": "2014-12-12T12:12:12Z",
+                    "to": [plume_common::activity_pub::PUBLIC_VISIBILITY]
+                },
+                "type": "Create",
+            });
+
+            assert!(matches!(
+                super::inbox(&r, act.clone()),
+                Err(super::Error::Inbox(
+                    box plume_common::activity_pub::inbox::InboxError::InvalidObject(_),
+                ))
+            ));
+            Ok(())
+        });
+    }
+
     #[test]
     fn delete_comment() {
         use crate::comments::*;
diff --git a/plume-models/src/lib.rs b/plume-models/src/lib.rs
index 67bf51ad..de97a412 100644
--- a/plume-models/src/lib.rs
+++ b/plume-models/src/lib.rs
@@ -1,6 +1,7 @@
 #![feature(try_trait)]
 #![feature(never_type)]
 #![feature(proc_macro_hygiene)]
+#![feature(box_patterns)]
 
 #[macro_use]
 extern crate diesel;