If I have an offline account it would contain 100 private keys (addresses?) if generated by multibit.
I don't think MultiBit pre-generates 100 keys? I thought MultiBit only generated keys as needed? Did this change, or did I misunderstand? Can you link to where you got this information?
whenever someone transfers to me, one of these addreses gets used.
That assumes that you give each person a different address to send to. While that is the recommended procedure, there are many people who prefer to re-use the same address multiple times. Re-using addresses reduces privacy and security, but it generally works fine.
If I use all my keys I have to go online to generate new ones, right?
You do not need to be online to generate keys or addresses. This can be done offline.
The wallet takes care of generating the keys for you whenever you request a new address. If you don't want a new address, then the wallet won't generate new keys. If you do want a new address, then the wallet will generate a new key pair to create the new address.
So the question is. What happens if someone spams 100* minimum transfers to my offline account just before I am to recieve a big transfer?
How is that person going to know what your addresses are unless you tell them? Why would you send someone all of your current addresses?
Regardless, if this happened, then the address that you give out for the "big transfer" will receive 2 payments. One from the spam, and another from the "big transfer".