Sorry, but I don't know how to help you. If you have found a bug, it needs to be handled through the support process. What I can offer:
1) Collect and look at the actual emails: Is it base-64 encoded, and therefore unreadable in its encoded form? If it is readable, does it have a line break in the middle of the text you want to use for matching? Development needs examples of the emails that don't filter correctly before they will even attempt to find the cause.
2) Figure out the actual sender, and block them. Determining the most responsible sender also requires close examination of the message. Is the Mail From the address of an email service provider like
SendGrid.net or ConstantContact.com, in which case the From header address is the address of the attacker? If not, the Mail From address is likely the identity of the attacker. Are any addresses obviously computer-generated gibberish or are they all plausible entity names? If both addresses are plausible but fail authentication, then the responsible party may be the server organization itself, in which case I would block both the individual IP addresses and the helo or reverse dns domain (whichever is a better representative of the responsible organization.) If the host names also cannot be verified with forward-confirmed DNS, then maybe all that you can block with confidence is the IP address. It all depends on evaluating which identity is the one that is at fault.
3) For the long term, create a better filtering environment. SmarterTools is in the mail processing business, which is hard. Spam Filtering is a second very different and very difficult problem, and it is not their skill set. Nor is it reasonable to ask them to be best at both problems. The tools they provide are simply not adequate for the magnitude of the problem, especially as it relates to content filtering. I use home grown tools (heavily customized Declude) for sender filtering, and a mediocre commercial product for content filtering. I don't pretend to have the skills needed for home-grown content filtering. The tools that I built have been several years in evolution, and they have allowed me to detect all unwanted impersonations. But my solution still requires daily audits to fix blocked messages that should have been allowed and to a much lesser extent, allowed messages that should have been blocked. Not everyone is willing to do that. You are in a bind right now because you have been getting by with an inadequate toolkit. The fastest way to a quick fix is to spend some money on a vendor, but that can be expensive.
You should definitely pursue a support ticket to see if there is a bug that needs to be fixed.