Previous discussion:
https://news.ycombinator.com/item?id=7371176
For sites like Gravatar[1] that generate an image from a given URL:
> In addition to allowing you to use your own image, Gravatar has a number of built in options which you can also use as defaults .... Most of these work by taking the requested email hash and using it to generate a themed image that is unique to that email address.
Not only would it such an attack function as a network DDOS, but could also cause CPU thrashing as thousands of images are generated simultaneously.
There may also a danger of an amplification attack using Gravatar (or a similar site). For instance, from the Gravatar docs:
> If you'd prefer to use your own default image (perhaps your logo, a funny face, whatever), then you can easily do so by supplying the URL to an image in the d= or default= parameter.
Which will cause a Gravatar server to fetch the image in question.
So - in the Google spreadsheet an attacker could also add an additional Gravatar line for each image, doubling the number of requesting servers with little extra effort.
[1] https://en.gravatar.com/site/implement/images/
