Under bvoptions > Message Posting and Editing Options, make sure to set this to No:
Allow Dynamic URL for [IMG] Tags
With this option set to 'no', the [IMG] tag will not be displayed if the path to the image contains dynamic characters such as ? and &. This can prevent malicious use of the [IMG] tag.
That isn't going to help if they're using vB SEO, like in the example which gives 'static' URLs for pages without the IDs and stuff. I think vBulletin should implement a filter which checks if it ends with a valid file extension to stop this problem.