I have not seen this particular problem, but I encourage you to look at Declude, which permits you to create filter rules based on multiple criteria.
Declude has built-in tests for HELO, REVDNS, and MAILFROM (SMTP Address). Testing the Message-From address requires regular expressions. Here is a filter clause to evaluate whether the Message From ends with @example.com:
HEADERS 1 PCRE (\n\r*From:[^@]+@example\.com)
Most of the "Email Service Providers" (ESPs) use their own domain in the SMTP From Address, which ensures that the message will pass SPF. Then the Message-From address indicates the client domain. These ESP organizations can have some clients whose messages are important to you, and other clients whose messages are toxic. Consequently, you need to be able to filter on the combination of SMTP From address and Message From address. Declude is the only product that I have found which can do this well, and they do it affordably. Some of the outrageously expensive cloud services may be able to do it, but their capabilities are not confirmed because I was scared away by their pricing.
A couple of ESPs send so much toxic content that I quarantine their messages by default. I exempt the few acceptable client domains as they become identified. If you want to know my hated ESP list, send me a private message.
Declude is dependent on text file parsing. This may become problematic with highly complex configurations or very high volume operations. But unlike my commercial appliance products, Declude is extensible. I have created custom filters to migrate most of my filtering logic into a SQL database. This has simplified my configuration while improving performance.