the only thing we've had luck with slowing them down is phrase filtering at the SMTP level (EHLO/SMTP blocking). They all use variations of common brands -- many with misspellings like waimart or cstc or c0stco, etc.
So we filter for stuff like *waimart*@* or *c0stc0*@* and so forth. It doesn't get them all but it slows it down. Additionally, whenever a block is detected, our log monitor alerts us. Lately we've seen patterns where the emails come in from one host on a class-c, we block it, and then another IP in the same class-c hits us right away. After three or four IPs in the same class-c, we block the whole thing for minimum 30 days...
The one thing that is common across all of them is that they do not do any kind of bounce tracking.
That means that sender(1) is always the "brand spoofed address" where legit emails from these companies will come through third party services that use link-tracking and bounce-detection - sender(1) will be some "serialized or encoded" sender name @ bounce or @ delivery -- the only exception we've seen is CVS has one members program that sends without bounce tracking - so filtering the CVS spam has gotten tricky. We eventually safelisted that particular subdomain's SPF and those don't get hit by the other blocks we have in place.
we're at war...
Sometimes we lock out hundreds of bad sending IPs a day - sometimes we don't get any hits in the logs at all. It varies --
MailEnable survivor / convert --