Well I opened a ticket with Parallels to deal with the inability to remove txt records from the command line. It has been put on the wish list for a future release, so I'm not holding my breath. Still, the non-optimal outright blocking the worst of the worst has worked extremely well. For the first time since I've been fighting spam (years!), my spam caught by spamassassin is BELOW
my ham count. I was getting about 3-5 spam to each ham previously. Of course my sample size is fairly small - only a few hundred legit messages per day. It also reduced the CPU time to less than an hour per day. Sure it isn't exactly RFC to just drop connection attempts for port 25 on a mailserver, but like the pirate code - they're just guidelines anyway.
I still have to figure out why the DNSBL approach fails so hard, since the goal is to centralize it for multiple boxes to query. Even with the TXT message thing, a wildcard DNS entry could give some basic info on how to de-list. I can't for the life of me figure out why it wouldn't query a local source. Oh well, I'll get back to it soon hopefully.
If anyone is using the perl script, please be aware there is a typo in it that will prevent de-listing from the ASL blacklist. PM me if you'd like the fix.