The best practice is to create a policy, where the only thing enabled is a content rule that drops all mail. As you noted, it's the earliest opportunity once the mail is in the box... and since you're not doing anything but dropping it, you turn off all of the scanners. Depending upon what sort of stuff you're dropping, using the HAT only really blocks IPs, so you can't block domains sending junk using the big mailers (gmail/Microsoft/etc)
What i'm afraid in this solution is when the blacklist is full of random spam emails/domains and at that moment is not intelligible readable as well as won't that use up system available resources? What to do after one year? Is good practise to make analysis how many senders are still active?
If we get persistent senders which are easily identified to an IP or IP range - we just block them on the firewall to the mail servers. Even with senderbase refusal getting a lot of continous connections consumes resources so just block them before they even get to the ESA. After six months/12 months empty out the ACL and start again.