Might be time to consider restricting hotlinked graphics to certain domains (Photobucket, tinypic, and the like) to prevent hotlink graphic shenanigans.
Even then you could post something to tinypic that has malicious code in it. Of course, getting it to execute would be a little more problematic. :)
Still, restricting hotlinks to certain known and (relatively) trusted image hosts would knock out a percentage of attacks right there.
Been a longtime consideration. I’ve never liked the hot linking and it is a source of legal contention (but then so are single-sentence excerpts and even mere links for some, absurd.) Can’t cache and serve images myself due to copyright, and whitelisting may be too cumbersome both on the user-end and maintenance. Blacklisting is an option, and coupled with an index of all external links within the HTML would allow a process to ex post facto rewrite HTML records to transform live links to dead or vv (dead being a span w/id, live being a/img with id.)