1) Get a customizable tool and commit some labor to the job of tuning it.   The goal is to authenticate senders of the stuff you want, block senders of the stuff that you do not want.   For the uncertain, do post-delivery review when the workload is high, and quarantine when the workload is in your favor..   Every time you get a confirmed spam source, create a block rule for all of the identifiers that represent the attacker.   The most useful block rules are based on server domain name, for the attacks where you can identify a malicious server.  After awhile, you will start running out of bad guys.

2) Get an affordable commercial appliance product that is good at content filtering.   We make Barracuda work because it is already installed and Declude sits in front, but they are moving to a cloud solution.   If I were starting over, I would lean toward SonicWall, but that is only because of a documentation review several years ago, not actual use.   You are buying the ability to detect malicious body content and malicious links, because you don't have the data or knowledge to build that yourself.   You are also buying protection from first-time attack sources.

We are seeing a whole lot of attacks from individual gmail.com accounts.   Fortunately, content filtering is catching most of their garbage.   Then I add the accounts to my permanent block list.

Send me a Private Message if you want a white paper on what sender filtering should look like,  You wont find anyone selling it at any price, so you have to be willing to build your own.