I don't think that's a smart move. Let's give them some benefit of doubt and bring this to their attention. I have messaged them on their facebook. Hope this will help.
P.S. I am not a Citibank fan or something. Just trying to deal with this sanely.
Their Facebook is most likely ran by an intern or "social media expert" who couldn't be any more disconnected from their actual website and programming. If their e-mails get banned however, it'll go to a sysadmin who can actually start a conversation to do something.
What about the users who need to get account related email that they signed up for? I understand your disdain for unwanted email, I share it, but why should our opinions have a negative effect on others.
Don't blame the victim. If Citi is sending unwanted e-mails with no good way to unsubscribe then they are sending spam, and the fault lies with them, not with the people who say to themselves, "hey, this is spam, I should report it as such."
To be fair, me labeling something in my email client as junk doesn't signal my intent to harm other people's experience. If it does that, the blame is on the service providers: namely those signaling intent which I did not wish to signal.
The issue other users have are with their own service providers using a system that apparently can be easily gamed or falsified.
Finally, the problem is on Citibank's end, but sending unwanted email with people who have explicitly requested they stop.
If users don't get account related email they signed up for, it's on Citibank's end to solve, as well as the service providers they are using to retrieve their email. They alone are at fault.
I have my bank send me an email saying "you've made a credit card purchase" every time I make a credit card purchase, just as a low-hassle way of keeping an eye on things, but those emails seem to be sent from completely separate systems from the (very occasional) marketing-ish email. The later they seem to contract out.
Certainly nothing that I need comes through email.
I would expect that they are separate systems for Citibank as well.
Email is the only universally-accepted federated notification system.
Emails such as "your card has been used 1000km+ from its last use" or "you just made this >$1000 purchase" are very useful indeed, and should be encouraged to detect fraud.
The problem with that is banks sometimes ask what your last transaction was to prove you are the account holder. Anyone who has access to these email messages will know that information.
I've never seen this with any of the banks with which I've done business. They will tell me what the transactions were and ask me to confirm that they were indeed by me in the case that they're suspicious of fraudulent activity.
My bank knows my public key. They could send me an encrypted email... well, except that ciphersuite in subject is GOST, which is not supported by most MUAs, so they don't. So, unfortunately, the key's only used to authenticate me over a TLS connection for a web-based self-care service.
