diff --git a/llarp/nodedb.cpp b/llarp/nodedb.cpp
index 8d0737bd9..ceef0c95e 100644
--- a/llarp/nodedb.cpp
+++ b/llarp/nodedb.cpp
@@ -110,6 +110,7 @@ namespace llarp
   {
     if (m_Root.empty())
       return;
+    std::set<fs::path> purge;
 
     for (const char& ch : skiplist_subdirs)
     {
@@ -120,15 +121,50 @@ namespace llarp
       fs::path sub = m_Root / p;
 
       llarp::util::IterDir(sub, [&](const fs::path& f) -> bool {
-        if (fs::is_regular_file(f) and f.extension() == RC_FILE_EXT)
+        // skip files that are not suffixed with .signed
+        if (not(fs::is_regular_file(f) and f.extension() == RC_FILE_EXT))
+          return true;
+
+        RouterContact rc{};
+
+        if (not rc.Read(f))
+        {
+          // try loading it, purge it if it is junk
+          purge.emplace(f);
+          return true;
+        }
+
+        if (not rc.FromOurNetwork())
+        {
+          // skip entries that are not from our network
+          return true;
+        }
+
+        if (rc.IsExpired(time_now_ms()))
         {
-          RouterContact rc{};
-          if (rc.Read(f) and rc.Verify(time_now_ms(), false))
-            m_Entries.emplace(rc.pubkey, rc);
+          // rc expired dont load it and purge it later
+          purge.emplace(f);
+          return true;
         }
+
+        // validate signature and purge entries with invalid signatures
+        // load ones with valid signatures
+        if (rc.VerifySignature())
+          m_Entries.emplace(rc.pubkey, rc);
+        else
+          purge.emplace(f);
+
         return true;
       });
     }
+
+    if (not purge.empty())
+    {
+      LogWarn("removing {} invalid RC from disk", purge.size());
+
+      for (const auto& fpath : purge)
+        fs::remove(fpath);
+    }
   }
 
   void
diff --git a/llarp/router_contact.cpp b/llarp/router_contact.cpp
index 7690984b3..b40339a59 100644
--- a/llarp/router_contact.cpp
+++ b/llarp/router_contact.cpp
@@ -122,6 +122,12 @@ namespace llarp
     return result;
   }
 
+  bool
+  RouterContact::FromOurNetwork() const
+  {
+    return netID == NetID::DefaultValue();
+  }
+
   bool
   RouterContact::BEncodeSignedSection(llarp_buffer_t* buf) const
   {
diff --git a/llarp/router_contact.hpp b/llarp/router_contact.hpp
index e328192e8..bafade89b 100644
--- a/llarp/router_contact.hpp
+++ b/llarp/router_contact.hpp
@@ -201,6 +201,10 @@ namespace llarp
     bool
     VerifySignature() const;
 
+    /// return true if the netid in this rc is for the network id we are using
+    bool
+    FromOurNetwork() const;
+
    private:
     bool
     DecodeVersion_0(llarp_buffer_t* buf);