[jjav]

> Making it harder to log in to dormant accounts from new devices and locations.

There is no justification in making it difficult to log in to accounts that have never sent spam, that's the user-hostile part of gmail. They have it in their logs which accounts are sending spam.

[londons_explore]

When an attacker gets into a dormant account and sends spam, it's because they have already mined all the data in that account... Ie. they've already taken over every account that used that account for password resets, they've already stolen any credit card numbers they could find in the drafts folder or pictures of driving licenses and passports that were uploaded to Google Photos...

Sending spam is the last step... The steps beforehand are much more damaging to the user involved. And, sure, you could blame them for reusing their login password, but not being well versed on computer security isn't widespread, nor a reason to punish them.

[jjav]

> nor a reason to punish them

Locking people out of their account (which sometimes means a large chunk of their real life) with no recourse is very punishing and inexcusable.