Walmart has a toggle explicitly for product review emails. I have toggled it off. I still get weekly review emails. I now make it my mission to give 1 star to every product they email me about with a note that their unsubscribe is broken.
Once, their CSR “escalated” my issue, but I never heard back. If you work in Walmart engineering, please fix the review unsubscribe.
Applied to a job at Oracle 3 years ago. For a couple of years their unsubscribe link went to a broken page . Now they totally ignore my unsubscription choice and keep sending me job offers anyway
If 24 Hour Fitness won't let you unsubscribe from marketing spam, big email providers like gmail should automatically mark all of their emails as spam by default until they fix it.
If anyone from Shop.app is here, your unsubscribe does not work either (maybe due to VPN usage).
But that's okay, Fastmail now automatically routes it to the spam folder where it belongs.
additionally:
Interesting, I set my email as a backup authentication for a luddite friend's Comcast email account, and I just discovered spam from Xfinity in my spam folder. Shame on you Xfinity Comcast.
The problem:
My understanding is the CAN-SPAM Act violations can only be prosecuted by states Attorney Generals, there is no civil action available.
Sounds like they have not got CORS set up on their servers either? Surely it should not allow mutating requests from random origins not on an allowlist?
CORS has nothing to do with (dis)allowing 'mutating requests from random origins' on the server unless I'm misunderstanding what you mean. The origin is a browser concept.
Not sure why you're being downvoted. CORS is only a browser concept. If you fire off requests from something that isn't a browser (e.g. curl or a python script or whatever) CORS won't do anything. Servers need to validate the origin of requests properly if that's a problem.
The feature that was called is usually bundled in with cors, even if it strictly speaking isn't.
Allowed origins (what was meant) just validates the Origin header to make sure the API is called from a specific domain, and declines the request if not in the list.
The only way around that is not to send the unsubscribe request via the browser or proxy through a server, because the browser will always append the origin header according to the domain the user is on. Which if configured correctly and not proxied, would end in a http forbidden.
Whereas CORS would not even send the request I believe (but haven't verified), because thats essentially a browser feature, not server.
> OneTrust is literally a consent management platform focused on regulatory compliance, and 24 Hour Fitness is using it to violate consent regulations.
I mean, OneTrust's entire raison d'etre is to violate consent regulations with flimsy deniability.
How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing. I think most of the "unsubscribe" links are there to fulfill some legal obligation. They don't do what they're supposed to do, and might in fact be making things worse for the person who clicks them.
The only solution I've found to work, beyond the usual spam filtering, is to setup email on your own domain, and give every company a unique address. The moment you want to stop receiving email from them, you simply block their address. This deals both with the original company, and with anyone they've sold your contact information to.
Nah, unsubscribe links absolutely work. I’m religious about unsubscribing the first time I get any email notification I don’t want from anyone. The result is I basically get no unwanted emails unless I sign of for something new. Compared to basically every other email inbox I’ve ever seen where people don’t unsubscribe… yeah it’s super clear that it works.
I also use email aliases for every single account I have so if my email somehow leaks and I’m getting spam, i know exactly what account leaked it. That’s basically never happened though.
The only problem I have with unsubscribe links is that sometimes the website is straight up broken, like the link is dead or the page unresponsive, and I wonder about how far down fixing that issue is on the engineering team’s todo.
I create a unique iCloud Hide My Email anytime I need to give out an email. The issue here was I signed up for my 24 Hour Fitness membership in person at the gym where the cell service was bad and I couldn't get the WiFI to work, so I begrudgingly gave the guy my real email.
While I could have easily blocked their domain, I took it as a challenge to get the emails to stop.
I use Fastmail which allows me to have a catch-all with my own domain name. I don't need to set anything up to give out a unique email address I make up on the spot. I highly recommend this method.
I do it and never had an issue. I get odd emails every now and then with an unused address, for services/people I never contacted though. But I'm talking about perhaps 2-3 per year.
it’s generally a poor marketing strategy to ignore explicit requests for list removal, because users manually flag the emails as spam which is catastrophic to your domain rep and will tank deliverability. the incentives are heavily in favour of removing people who unsubscribe
The List-Unsubscribe header was pioneered by Dave Rolsky, one of the more notorious spammers of the early 2000's. His reasoning was that most people were just going to hit delete, but anyone who went out of their way to unsubscribe was a squeaky wheel that would cause more problems for him if they got angry about their request being ignored. So he really did honor unsubscribe requests ... at least until adding them to the next spam campaign on a different list.
> How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing.
That’s quite a stretch for a company sending marketing email with a broken unsub mechanism.
Considering how these companies are infamous for making it difficult to unsubscribe from their service in real life, I don't think it's too much of a stretch to attribute malice to how they conduct email communications.
You didn't need ChatGPT to coauthor this article. Just use your own authentic voice. In 2026 no one likes GPT text anymore.
I would go so far as to say no one has ever liked GPT text.
1. I agree with you. The standard GPT voice is grating in its ability to use so many words without saying anything.
2. I also see it as a modern tower of Babylon. A linguistic equalizer of sorts.
Walmart has a toggle explicitly for product review emails. I have toggled it off. I still get weekly review emails. I now make it my mission to give 1 star to every product they email me about with a note that their unsubscribe is broken.
Once, their CSR “escalated” my issue, but I never heard back. If you work in Walmart engineering, please fix the review unsubscribe.
If anyone ever prompts me for a review or leaves a "rebate for review" card in the box, they get 1 star.
Walmart should also fix where someone can create an account with someone else's email address (no email address validation).
> If you know someone on the 24 Hour Fitness engineering team, please share this with them. It's a one-line fix.
One man's bug is another man's feature.
"The marketing team says fixing this bug will negatively impact their numbers, closing."
Applied to a job at Oracle 3 years ago. For a couple of years their unsubscribe link went to a broken page . Now they totally ignore my unsubscription choice and keep sending me job offers anyway
If 24 Hour Fitness won't let you unsubscribe from marketing spam, big email providers like gmail should automatically mark all of their emails as spam by default until they fix it.
If anyone from Shop.app is here, your unsubscribe does not work either (maybe due to VPN usage).
But that's okay, Fastmail now automatically routes it to the spam folder where it belongs.
additionally:
Interesting, I set my email as a backup authentication for a luddite friend's Comcast email account, and I just discovered spam from Xfinity in my spam folder. Shame on you Xfinity Comcast.
The problem:
My understanding is the CAN-SPAM Act violations can only be prosecuted by states Attorney Generals, there is no civil action available.
Sounds like they have not got CORS set up on their servers either? Surely it should not allow mutating requests from random origins not on an allowlist?
CORS has nothing to do with (dis)allowing 'mutating requests from random origins' on the server unless I'm misunderstanding what you mean. The origin is a browser concept.
Not sure why you're being downvoted. CORS is only a browser concept. If you fire off requests from something that isn't a browser (e.g. curl or a python script or whatever) CORS won't do anything. Servers need to validate the origin of requests properly if that's a problem.
To expand on that, in case someone is interested:
The feature that was called is usually bundled in with cors, even if it strictly speaking isn't.
Allowed origins (what was meant) just validates the Origin header to make sure the API is called from a specific domain, and declines the request if not in the list.
The only way around that is not to send the unsubscribe request via the browser or proxy through a server, because the browser will always append the origin header according to the domain the user is on. Which if configured correctly and not proxied, would end in a http forbidden.
Whereas CORS would not even send the request I believe (but haven't verified), because thats essentially a browser feature, not server.
That’s the best public service I’ve seen in a long time.
> OneTrust is literally a consent management platform focused on regulatory compliance, and 24 Hour Fitness is using it to violate consent regulations.
I mean, OneTrust's entire raison d'etre is to violate consent regulations with flimsy deniability.
How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing. I think most of the "unsubscribe" links are there to fulfill some legal obligation. They don't do what they're supposed to do, and might in fact be making things worse for the person who clicks them.
The only solution I've found to work, beyond the usual spam filtering, is to setup email on your own domain, and give every company a unique address. The moment you want to stop receiving email from them, you simply block their address. This deals both with the original company, and with anyone they've sold your contact information to.
Nah, unsubscribe links absolutely work. I’m religious about unsubscribing the first time I get any email notification I don’t want from anyone. The result is I basically get no unwanted emails unless I sign of for something new. Compared to basically every other email inbox I’ve ever seen where people don’t unsubscribe… yeah it’s super clear that it works.
I also use email aliases for every single account I have so if my email somehow leaks and I’m getting spam, i know exactly what account leaked it. That’s basically never happened though.
The only problem I have with unsubscribe links is that sometimes the website is straight up broken, like the link is dead or the page unresponsive, and I wonder about how far down fixing that issue is on the engineering team’s todo.
My solution to spam emails is this: https://ahmedkaddoura.com/writing/hide-my-email
I create a unique iCloud Hide My Email anytime I need to give out an email. The issue here was I signed up for my 24 Hour Fitness membership in person at the gym where the cell service was bad and I couldn't get the WiFI to work, so I begrudgingly gave the guy my real email.
While I could have easily blocked their domain, I took it as a challenge to get the emails to stop.
I use Fastmail which allows me to have a catch-all with my own domain name. I don't need to set anything up to give out a unique email address I make up on the spot. I highly recommend this method.
The flipside of this is that it's extremely easy to spam you by just iterating new email addresses.
I do it and never had an issue. I get odd emails every now and then with an unused address, for services/people I never contacted though. But I'm talking about perhaps 2-3 per year.
I think I got webmaster@ once.
Don’t they have a list unsubscribe header in the emails themselves? That’s effectively a requirement for senders of their size since Feb 2024.
I see this in the headers. But there was no option in the MacOS Mail client to unsubscribe. Only the Unsubscribe link in the body of the email.
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=member.24hourfitness.com; s=twentyfourhour; t=1762443065; bh=KDZeTqKlOBd6YUTrR6K4RMz9MA2BueBl6/LnKG57yqY=; h=From:Date:Subject:To:MIME-Version:Message-ID:List-Unsubscribe: Content-Type; b=Bq6qnq65i1EN6Df9A5TpcCn3AnNzE8yjkNdDYkapehQV727Jrma15ZU4e88I8Ckdk iH5CZrtJPlNqPscm3JWbuP4IavLVKDNf3Prlm4q75tTXE0IyaTPexyOoGTu+4PoAeG wEa8WaN6zfLl5AkPO0U+zjFHicSx3ooyNomFTI2AtSVoVHVPcubtZV8wRPUy4EV9mV pRBroHp1Uj/LCFRyZRScbs5plfxEpmd3wO9vnMsXW6jqOi19kqfOkhTUKpaRVxxJA+ /cMIq+Wh4TSpt6+22gcm4hLsCVNW0mAImjTZZ/yPFwoGpLaoPOia8aYde1mlROOoZi yx81OFO+90kRQ==
> But there was no option in the MacOS Mail client to unsubscribe.
The functionality for mail clients to offer an "unsubscribe" button is dependent on there being a "List-Unsubscribe" header in the e-mail with a URL:
* https://datatracker.ietf.org/doc/html/rfc8058
* https://datatracker.ietf.org/doc/html/rfc2369#section-3.2
If the sender does not put one in then that's hardly the mail client's fault.
MacOS should have list unsub support from what I can see: https://support.apple.com/en-gb/guide/mail/mlhld3405766/mac
Dependent on the e-mail sender putting a header with a URL in the message:
* https://datatracker.ietf.org/doc/html/rfc8058
It’s effectively a requirement since Feb 2024 when Google and Yahoo rolled out guidelines related to it for bulk senders.
it’s generally a poor marketing strategy to ignore explicit requests for list removal, because users manually flag the emails as spam which is catastrophic to your domain rep and will tank deliverability. the incentives are heavily in favour of removing people who unsubscribe
The List-Unsubscribe header was pioneered by Dave Rolsky, one of the more notorious spammers of the early 2000's. His reasoning was that most people were just going to hit delete, but anyone who went out of their way to unsubscribe was a squeaky wheel that would cause more problems for him if they got angry about their request being ignored. So he really did honor unsubscribe requests ... at least until adding them to the next spam campaign on a different list.
from 2025-10-26 to 2026-01-29 (the day I wrote this article), no_reply@24hourfitness.com sent me 40 spam emails.
In the 33 days since I wrote this article, no_reply@24hourfitness.com sent me zero.
Assuming their mails follow a Poisson distribution, the 95% confidence interval for their new spam rate is 0-0.091 emails per day.
> How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing.
That’s quite a stretch for a company sending marketing email with a broken unsub mechanism.
Considering how these companies are infamous for making it difficult to unsubscribe from their service in real life, I don't think it's too much of a stretch to attribute malice to how they conduct email communications.