diff --git a/src/api/client_server/sync.rs b/src/api/client_server/sync.rs
index 04fdb2bb..76b48d10 100644
--- a/src/api/client_server/sync.rs
+++ b/src/api/client_server/sync.rs
@@ -1476,6 +1476,9 @@ pub async fn sync_events_v4_route(
 
     let mut known_subscription_rooms = BTreeSet::new();
     for (room_id, room) in &body.room_subscriptions {
+        if !services().rooms.metadata.exists(room_id)? {
+            continue;
+        }
         let todo_room = todo_rooms
             .entry(room_id.clone())
             .or_insert((BTreeSet::new(), 0, u64::MAX));
diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index db17d586..1ba2edc0 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1799,6 +1799,13 @@ pub async fn get_devices_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body.user_id.server_name() != services().globals.server_name() {
+        return Err(Error::BadRequest(
+            ErrorKind::InvalidParam,
+            "Tried to access user from other server.",
+        ));
+    }
+
     let sender_servername = body
         .sender_servername
         .as_ref()
@@ -1873,6 +1880,13 @@ pub async fn get_profile_information_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body.user_id.server_name() != services().globals.server_name() {
+        return Err(Error::BadRequest(
+            ErrorKind::InvalidParam,
+            "Tried to access user from other server.",
+        ));
+    }
+
     let mut displayname = None;
     let mut avatar_url = None;
     let mut blurhash = None;
@@ -1909,6 +1923,17 @@ pub async fn get_keys_route(body: Ruma<get_keys::v1::Request>) -> Result<get_key
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body
+        .device_keys
+        .iter()
+        .any(|(u, _)| u.server_name() != services().globals.server_name())
+    {
+        return Err(Error::BadRequest(
+            ErrorKind::InvalidParam,
+            "Tried to access user from other server.",
+        ));
+    }
+
     let result = get_keys_helper(None, &body.device_keys, |u| {
         Some(u.server_name()) == body.sender_servername.as_deref()
     })
@@ -1931,6 +1956,17 @@ pub async fn claim_keys_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body
+        .one_time_keys
+        .iter()
+        .any(|(u, _)| u.server_name() != services().globals.server_name())
+    {
+        return Err(Error::BadRequest(
+            ErrorKind::InvalidParam,
+            "Tried to access user from other server.",
+        ));
+    }
+
     let result = claim_keys_helper(&body.one_time_keys).await?;
 
     Ok(claim_keys::v1::Response {
diff --git a/src/database/key_value/rooms/timeline.rs b/src/database/key_value/rooms/timeline.rs
index f322d430..0331a624 100644
--- a/src/database/key_value/rooms/timeline.rs
+++ b/src/database/key_value/rooms/timeline.rs
@@ -331,7 +331,7 @@ fn count_to_id(
         .rooms
         .short
         .get_shortroomid(room_id)?
-        .expect("room exists")
+        .ok_or_else(|| Error::bad_database("Looked for bad shortroomid in timeline"))?
         .to_be_bytes()
         .to_vec();
     let mut pdu_id = prefix.clone();
diff --git a/src/service/rooms/event_handler/mod.rs b/src/service/rooms/event_handler/mod.rs
index 375d1ff0..99fc2cb1 100644
--- a/src/service/rooms/event_handler/mod.rs
+++ b/src/service/rooms/event_handler/mod.rs
@@ -184,7 +184,22 @@ impl Service {
             }
 
             if errors >= 5 {
-                break;
+                // Timeout other events
+                match services()
+                    .globals
+                    .bad_event_ratelimiter
+                    .write()
+                    .unwrap()
+                    .entry((*prev_id).to_owned())
+                {
+                    hash_map::Entry::Vacant(e) => {
+                        e.insert((Instant::now(), 1));
+                    }
+                    hash_map::Entry::Occupied(mut e) => {
+                        *e.get_mut() = (Instant::now(), e.get().1 + 1)
+                    }
+                }
+                continue;
             }
 
             if let Some((pdu, json)) = eventid_info.remove(&*prev_id) {