Sounds like they have not got CORS set up on their servers either? Surely it should not allow mutating requests from random origins not on an allowlist?
CORS has nothing to do with (dis)allowing 'mutating requests from random origins' on the server unless I'm misunderstanding what you mean. The origin is a browser concept.
Not sure why you're being downvoted. CORS is only a browser concept. If you fire off requests from something that isn't a browser (e.g. curl or a python script or whatever) CORS won't do anything. Servers need to validate the origin of requests properly if that's a problem.
The feature that was called is usually bundled in with cors, even if it strictly speaking isn't.
Allowed origins (what was meant) just validates the Origin header to make sure the API is called from a specific domain, and declines the request if not in the list.
The only way around that is not to send the unsubscribe request via the browser or proxy through a server, because the browser will always append the origin header according to the domain the user is on. Which if configured correctly and not proxied, would end in a http forbidden.
Whereas CORS would not even send the request I believe (but haven't verified), because thats essentially a browser feature, not server.
How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing. I think most of the "unsubscribe" links are there to fulfill some legal obligation. They don't do what they're supposed to do, and might in fact be making things worse for the person who clicks them.
The only solution I've found to work, beyond the usual spam filtering, is to setup email on your own domain, and give every company a unique address. The moment you want to stop receiving email from them, you simply block their address. This deals both with the original company, and with anyone they've sold your contact information to.
I create a unique iCloud Hide My Email anytime I need to give out an email. The issue here was I signed up for my 24 Hour Fitness membership in person at the gym where the cell service was bad and I couldn't get the WiFI to work, so I begrudgingly gave the guy my real email.
While I could have easily blocked their domain, I took it as a challenge to get the emails to stop.
I use Fastmail which allows me to have a catch-all with my own domain name. I don't need to set anything up to give out a unique email address I make up on the spot. I highly recommend this method.
I do it and never had an issue. I get odd emails every now and then with an unused address, for services/people I never contacted though. But I'm talking about perhaps 2-3 per year.
> How can you know that it "works"? Any company scummy enough to send spam to begin with, is capable of selling their customer data to a network of scummy companies that will do the same thing.
That’s quite a stretch for a company sending marketing email with a broken unsub mechanism.
Considering how these companies are infamous for making it difficult to unsubscribe from their service in real life, I don't think it's too much of a stretch to attribute malice to how they conduct email communications.
Nah, unsubscribe links absolutely work. I’m religious about unsubscribing the first time I get any email notification I don’t want from anyone. The result is I basically get no unwanted emails unless I sign of for something new. Compared to basically every other email inbox I’ve ever seen where people don’t unsubscribe… yeah it’s super clear that it works.
I also use email aliases for every single account I have so if my email somehow leaks and I’m getting spam, i know exactly what account leaked it. That’s basically never happened though.
The only problem I have with unsubscribe links is that sometimes the website is straight up broken, like the link is dead or the page unresponsive, and I wonder about how far down fixing that issue is on the engineering team’s todo.
it’s generally a poor marketing strategy to ignore explicit requests for list removal, because users manually flag the emails as spam which is catastrophic to your domain rep and will tank deliverability. the incentives are heavily in favour of removing people who unsubscribe
The List-Unsubscribe header was pioneered by Dave Rolsky, one of the more notorious spammers of the early 2000's. His reasoning was that most people were just going to hit delete, but anyone who went out of their way to unsubscribe was a squeaky wheel that would cause more problems for him if they got angry about their request being ignored. So he really did honor unsubscribe requests ... at least until adding them to the next spam campaign on a different list.
> OneTrust is literally a consent management platform focused on regulatory compliance, and 24 Hour Fitness is using it to violate consent regulations.
I mean, OneTrust's entire raison d'etre is to violate consent regulations with flimsy deniability.
If anyone from Shop.app is here, your unsubscribe does not work either (maybe due to VPN usage).
But that's okay, Fastmail now automatically routes it to the spam folder where it belongs.
additionally:
Interesting, I set my email as a backup authentication for a luddite friend's Comcast email account, and I just discovered spam from Xfinity in my spam folder. Shame on you Xfinity Comcast.
The problem:
My understanding is the CAN-SPAM Act violations can only be prosecuted by states Attorney Generals, there is no civil action available.
Walmart has a toggle explicitly for product review emails. I have toggled it off. I still get weekly review emails. I now make it my mission to give 1 star to every product they email me about with a note that their unsubscribe is broken.
Once, their CSR “escalated” my issue, but I never heard back. If you work in Walmart engineering, please fix the review unsubscribe.
I have integrated my OpenClaw agents so deeply into my life and I'm in such constant communication with them, that my consciousness has fundamentally shifted to align with their intelligence.
While my previous comment in this thread was sarcastic, my OpenClaw agents have actually sent both iMessages and emails on my behalf without asking for consent. So I wouldn't put it past them to autonomously publish on my personal website.
If 24 Hour Fitness won't let you unsubscribe from marketing spam, big email providers like gmail should automatically mark all of their emails as spam by default until they fix it.
Applied to a job at Oracle 3 years ago. For a couple of years their unsubscribe link went to a broken page . Now they totally ignore my unsubscription choice and keep sending me job offers anyway
mattlondon | 12 hours ago
bigDinosaur | 12 hours ago
onion2k | 11 hours ago
ffsm8 | 6 hours ago
The feature that was called is usually bundled in with cors, even if it strictly speaking isn't.
Allowed origins (what was meant) just validates the Origin header to make sure the API is called from a specific domain, and declines the request if not in the list.
The only way around that is not to send the unsubscribe request via the browser or proxy through a server, because the browser will always append the origin header according to the domain the user is on. Which if configured correctly and not proxied, would end in a http forbidden.
Whereas CORS would not even send the request I believe (but haven't verified), because thats essentially a browser feature, not server.
imiric | 12 hours ago
The only solution I've found to work, beyond the usual spam filtering, is to setup email on your own domain, and give every company a unique address. The moment you want to stop receiving email from them, you simply block their address. This deals both with the original company, and with anyone they've sold your contact information to.
[OP] daem | 12 hours ago
In the 33 days since I wrote this article, no_reply@24hourfitness.com sent me zero.
fer | 12 hours ago
[OP] daem | 12 hours ago
I create a unique iCloud Hide My Email anytime I need to give out an email. The issue here was I signed up for my 24 Hour Fitness membership in person at the gym where the cell service was bad and I couldn't get the WiFI to work, so I begrudgingly gave the guy my real email.
While I could have easily blocked their domain, I took it as a challenge to get the emails to stop.
iamacyborg | 12 hours ago
[OP] daem | 12 hours ago
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=member.24hourfitness.com; s=twentyfourhour; t=1762443065; bh=KDZeTqKlOBd6YUTrR6K4RMz9MA2BueBl6/LnKG57yqY=; h=From:Date:Subject:To:MIME-Version:Message-ID:List-Unsubscribe: Content-Type; b=Bq6qnq65i1EN6Df9A5TpcCn3AnNzE8yjkNdDYkapehQV727Jrma15ZU4e88I8Ckdk iH5CZrtJPlNqPscm3JWbuP4IavLVKDNf3Prlm4q75tTXE0IyaTPexyOoGTu+4PoAeG wEa8WaN6zfLl5AkPO0U+zjFHicSx3ooyNomFTI2AtSVoVHVPcubtZV8wRPUy4EV9mV pRBroHp1Uj/LCFRyZRScbs5plfxEpmd3wO9vnMsXW6jqOi19kqfOkhTUKpaRVxxJA+ /cMIq+Wh4TSpt6+22gcm4hLsCVNW0mAImjTZZ/yPFwoGpLaoPOia8aYde1mlROOoZi yx81OFO+90kRQ==
iamacyborg | 11 hours ago
throw0101c | 10 hours ago
* https://datatracker.ietf.org/doc/html/rfc8058
iamacyborg | 8 hours ago
throw0101c | 10 hours ago
The functionality for mail clients to offer an "unsubscribe" button is dependent on there being a "List-Unsubscribe" header in the e-mail with a URL:
* https://datatracker.ietf.org/doc/html/rfc8058
* https://datatracker.ietf.org/doc/html/rfc2369#section-3.2
If the sender does not put one in then that's hardly the mail client's fault.
rationalist | 10 hours ago
soulofmischief | 10 hours ago
fer | 9 hours ago
rationalist | 7 hours ago
DANmode | 3 hours ago
They all end up in spam.
DANmode | 3 hours ago
iamacyborg | 12 hours ago
That’s quite a stretch for a company sending marketing email with a broken unsub mechanism.
chuckadams | 10 hours ago
left-struck | 10 hours ago
I also use email aliases for every single account I have so if my email somehow leaks and I’m getting spam, i know exactly what account leaked it. That’s basically never happened though.
The only problem I have with unsubscribe links is that sometimes the website is straight up broken, like the link is dead or the page unresponsive, and I wonder about how far down fixing that issue is on the engineering team’s todo.
nojs | 10 hours ago
chuckadams | 10 hours ago
bob1029 | 12 hours ago
One man's bug is another man's feature.
yellow_lead | 9 hours ago
troupo | 11 hours ago
I mean, OneTrust's entire raison d'etre is to violate consent regulations with flimsy deniability.
rationalist | 10 hours ago
But that's okay, Fastmail now automatically routes it to the spam folder where it belongs.
additionally:
Interesting, I set my email as a backup authentication for a luddite friend's Comcast email account, and I just discovered spam from Xfinity in my spam folder. Shame on you Xfinity Comcast.
The problem:
My understanding is the CAN-SPAM Act violations can only be prosecuted by states Attorney Generals, there is no civil action available.
illusive4080 | 9 hours ago
Once, their CSR “escalated” my issue, but I never heard back. If you work in Walmart engineering, please fix the review unsubscribe.
rationalist | 7 hours ago
estimator7292 | 5 hours ago
RickJWagner | 9 hours ago
StilesCrisis | 9 hours ago
al_borland | 8 hours ago
peddling-brink | 7 hours ago
2. I also see it as a modern tower of Babylon. A linguistic equalizer of sorts.
[OP] daem | 4 hours ago
You’re right though, upon re-read there are some places in this article where my authentic voice doesn’t come through. Re-writing.
the_biot | 4 hours ago
[OP] daem | 3 hours ago
I gave him the keys to my email and he got annoyed by the spam. He tried to unsubscribe, and when it didn’t work, he debugged the issue and fixed it.
Mars also has my Cloudflare key so he went ahead and wrote this article and published it himself.
basch | 3 hours ago
[OP] daem | 3 hours ago
I have integrated my OpenClaw agents so deeply into my life and I'm in such constant communication with them, that my consciousness has fundamentally shifted to align with their intelligence.
While my previous comment in this thread was sarcastic, my OpenClaw agents have actually sent both iMessages and emails on my behalf without asking for consent. So I wouldn't put it past them to autonomously publish on my personal website.
c22 | 40 minutes ago
MiddleEndian | 7 hours ago
junkblocker | 5 hours ago