Among other reasons, imagine me sending support@example.com an email with <img src="http://localhost:3000/carefully-constructed-url" /> if I knew Example.com was a Rails shop in January 2013. That could have been oodles of fun. localhost:3000 is one of the many, many examples of things that could be put there. Other examples include probing for internal redmine instances, attempting to compromise dev/staging servers which are firewalled from outside traffic, etc etc.

This is not a risk if Google proxies the image -- they'll proxy a 404, because Gmail's servers don't have privileged, cookied access to apps on your internal network, dev boxes, etc.

Good point about an outsider potentially poking at internal.corporate.com. Though you could only trick support@example.com into making a GET request in this manner, right? Which ideally doesn't change data, but obviously exposes bigger attack area for vulnerabilities like the rails one.

Rails in January 2013 was mentioned specifically because a series of security bugs allowed attackers to achieve remote code execution with specially crafted URL parameters.

Thus someone could get a remote shell on your box running as the rails account, not just access to an internal application.