When the images are external, the image itself can always be replaced later. So just because it passes today or tomorrow, in 3 days, I could keep the same image url, but the image itself is different. The only solution is local images or no images. Otherwise, there truly is no guarantee.
Exactly. Sadly it looks like the forum is going back into circa 1980s text only BBS but all these complicated schemes to validated and revalidated are dumb.
Either you host images locally or don't bother trying to do anything else because odds are no scheme is going to stop a determined hacker. Given how easy it is to host images locally it simply doesn't make sense trying to make the "problem" more complicated only to have it be a token security measure.
Three options
1) No images
2) Locally cache images
3) Accept that you may be attacked