diff --git a/include/deliver.php b/include/deliver.php
index 547d009cc..b1314ce39 100644
--- a/include/deliver.php
+++ b/include/deliver.php
@@ -26,7 +26,7 @@ function deliver_run($argv, $argc) {
 				// If there is no outq_msg, this is a refresh_all message which does not require local handling
 				if($r[0]['outq_msg']) {
 					$msg = array('body' => json_encode(array('pickup' => array(array('notify' => json_decode($r[0]['outq_notify'],true),'message' => json_decode($r[0]['outq_msg'],true))))));
-					zot_import($msg);
+					zot_import($msg,z_root());
 					$r = q("delete from outq where outq_hash = '%s' limit 1",
 						dbesc($argv[$x])
 					);
diff --git a/include/zot.php b/include/zot.php
index 3ea7fa90b..71aa27a81 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -801,8 +801,7 @@ function zot_fetch($arr) {
 	$datatosend = json_encode(aes_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey']));
 	
 	$fetch = zot_zot($url,$datatosend);
-
-	$result = zot_import($fetch);
+	$result = zot_import($fetch, $arr['sender']['url']);
 	return $result;
 }
 
@@ -815,7 +814,7 @@ function zot_fetch($arr) {
  * The message types handled here are 'activity' (e.g. posts), 'mail' and 'profile'
  */
 
-function zot_import($arr) {
+function zot_import($arr, $sender_url) {
 
 	$data = json_decode($arr['body'],true);
 
@@ -842,6 +841,13 @@ function zot_import($arr) {
 
 			logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA);
 
+			$hub = zot_gethub($i['notify']['sender']);			
+			if((! $hub) || ($hub['hubloc_url'] != $sender_url)) {
+				logger('zot_import: potential forgery: wrong site for sender: ' . $sender_url . ' != ' . print_r($i['notify'],true));
+				continue;
+			}
+
+
 			$i['notify']['sender']['hash'] = base64url_encode(hash('whirlpool',$i['notify']['sender']['guid'] . $i['notify']['sender']['guid_sig'], true));
 			$deliveries = null;
 
@@ -1093,6 +1099,15 @@ function allowed_public_recips($msg) {
 function process_delivery($sender,$arr,$deliveries,$relay) {
 
 	$result = array();
+
+
+	// We've validated the sender. Now make sure that the sender is the owner or author
+	// This needs to be done in each process_xxxx function because the data arrays and conditions will be different. 
+
+	if($sender['hash'] != $arr['owner_xchan'] && $sender_hash != $arr['author_xchan']) {
+		logger('process_delivery: sender is not owner or author');
+		return;
+	}
 	
 	foreach($deliveries as $d) {
 		$r = q("select * from channel where channel_hash = '%s' limit 1",
diff --git a/version.inc b/version.inc
index f91c18185..bd22a63e0 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2013-10-01.453
+2013-10-02.454