Note, the snippet below is an example, only, and has some shortcomings for simplicity:

• only handles IPv4 addresses
• does not do any version detection of the filter protocol, and doesn't work on filter protocol < 0.6 (which was used in OpenSMTPD < 6.7; see comments in the script for details)
• SMTP error returned on blacklisting is hardcoded, but should be configurable
• has hardcoded logging of every filter action, people might want to silence it

#!/usr/bin/awk -f
#
# Usage in smtpd.conf:
#   filter <filter-name> proc-exec "/path/to/filter-dnsbl <resolve_cmd> <dnsbl> <ip_bl>"
#
# Where:
# - <resolve_cmd> is a string used to resolve the DNSBL query, returning
#   only the response, use %s for assembled request, escape % with %%, e.g.:
#     "dig +short %s"
#     "host -t A %s | sed 's/^.*has address //'"
# - <dnsbl> is the DNSBL address-suffix to look up, e.g.:
#     "ix.dnsbl.manitu.net"
# - <ip_bl> is a regex, if IP(s) returned by the lookup match they are
#   considered "blacklisted", e.g.:
#     "^127\.0\.0\.[234]$"
#
# Examples (for smtpd.conf):
#   filter dnsbl_nixspam proc-exec "filter-dnsbl.awk \"host -t A %s | sed 's/^.*has address //'\" ix.dnsbl.manitu.net '^127\.0\.0\.2$'"
#   filter dnsbl_nixspam proc-exec "filter-dnsbl.awk \"dig +short %s A\" bl.spamcop.net '^127\.0\.0\.2$'"

BEGIN {
    if (ARGC != 4) {
        printf("Error, 4 args expected, got %d\n", ARGC) > "/dev/stderr"
        exit 1  # note, this will terminate smtpd
    }
    RESOLVE_CMD = ARGV[1]
    DNSBL = ARGV[2]
    IP_BL = ARGV[3]
    ARGC = 0 # no more input args / files
    FS = "|"
}

"config|ready" == $0 {
    print("register|filter|smtp-in|connect") > "/dev/stdin"
    print("register|ready") > "/dev/stdin"
    next # don't exit as this will stop smtpd
}
"filter" == $1 {
    if (NF < 9) {
        printf("Error, filter line not having enough fields, 9+ expected, got %d\n", NF) > "/dev/stderr"
        next # don't exit as this will stop smtpd
    }
    sess_id = $6
    resp_token = $7
    # reverse on the fly and trim port
    # !NOTE!: with version < 0.6 (e.g. $2 == "0.5") the connecting ip is in $10 - not handling version detection, here
    split($9, x, "[.:]")
    req = x[4]"."x[3]"."x[2]"."x[1]"."DNSBL  # !NOTE!: works only with ipv4

    ret = "proceed"
    cmd = sprintf(RESOLVE_CMD, req)
    while((cmd | getline r) > 0) {
        if(r ~ IP_BL) {
            ret = "reject|550 connecting server is blacklisted"
            break
        }
    }
    close(cmd)

    print(sess_id" DNSBL check: "$8" ["$9"]: "cmd" => "ret) > "/dev/stderr"
    print("filter-result|"sess_id"|"resp_token"|"ret) > "/dev/stdin"
}

Turns out it was, and even without any rescue tool. When I started looking into it, the first tool I saw in the FreeBSD ports was magicrescue, but somehow no matter what I tried, it always exited with the same error. Looking at the man-page I noticed right at the beginning:

It looks at "magic bytes" in file contents, [...] It works on any file system,
but on very fragmented file systems it can only recover the first chunk of each
file.  These chunks are sometimes as big as 50MB, however.

So, the tool is file-system agnostic, it seems to only look for some sequence of bytes and then to recover some sequential number of bytes. This also means that very complex file-systems or features like compression and deduplication will obviously not be suited for recovery with magicrescue.

Makes sense. And that applies also to my case: the card had a FAT32 file system on it (like probably most cameras use), meaning there won't be any fancy file system features. Also, given that a camera stores one picture after the other (and if people delete some it's often always the last right after taking it), there probably also is little fragmentation.

So, basically, all I need to do is read all bytes off of the card, and split on certain patterns. split(1) unfortunately doesn't help, as although you can use a pattern for splitting, it's only matching on entire lines.
Inspecting the first few megabytes on the SD card revealed, that the images on there are stored as Exif-JPEG files (starting with magic numbers 0xff 0xd8, and then 0xff 0xe1 for this subtype, details here). This is not something general purpose, of course. And even for this one type of JPEG file not something to rely on, but I didn't want to split on 0xff 0xd8, only (to keep false positives low), and assumed that the camera wrote all images in the same format/way.

Completely ignoring the end-markers of JPEG files, accepting that the recovered images might have some garbage data appended, I started splitting the data on the SD card up on those 4 byte patterns. And that works quite nicely with dd and gawk (note, POSIX awk won't work, as the record separator can only be one byte):

dd if=$SRC of=/dev/stdout bs=1M | \
  gawk 'BEGIN { FS="fs is not important"; RS="\xff\xd8\xff\xe1" } { print RS$0 > sprintf("%04d.jpg", NR) }'

Of course, set $SRC to the device you want to recover your files from.

That's it - I was able to recover every single image off of that card, with a shell one-liner! Of course, this is a specific case that made this possible: simple file system, no fragmentation, only JPEG files to recover, and only one JPEG type to look for, etc., but it can easily extended to suit other purposes.

Here's a little bit more convenient version as a shell script, allowing to seek, set the size to recover, and an optional prefix for the recovered images (still only looking for the same 4 bytes to separate on, though):

#!/bin/sh
if [ $# -lt 3 ]; then echo Usage: $0 DEV SIZE_MB SEEK_MB OUT_PREFIX; exit; fi
dd if=$1 of=/dev/stdout bs=1M count=$2 iseek=$3 | gawk 'BEGIN { FS="fs is not important"; RS="\xff\xd8\xff\xe1" } { print RS$0 > sprintf("'$4'%04d.jpg", NR) }'