Gravatar is designed that way so you can use any default image.

The technique is described in the Gravatar docs under "Default Image."

http://en.gravatar.com/site/implement/images/

Ah. But I'd expect think that they'd limit it to only images, or do some sorta safety checking. I recognize the performance concerns, but it's too easy to add a malware redirect onto their trusted url.