Hi David,
I wasn't lying when I said in my (recent) experience with over 100 servers that most did allow "localhost" connections. If a user can exploit "localhost" then that means they can edit and run scripts on the server, which means they can exploit "sendmail" just as easily as SMTP, so restricting access does not prevent anything and I do not believe it stops any abuse. If a script is exploited or a user hosted on the server attempts abuse of the service, they can still send email without using SMTP... Allowing "localhost" essentially means "we trust users we have accepted and have running on our server to use our services" - this is, I would think, a reasonable expectation of a host...
Anyways... Maybe you can set your ListMail SMTP hostname to your web site domain name, or "mail.example.com" (replace example.com with your domain) which is essentially the same thing... If they absolutely will not allow connections from your web site to the SMTP server you will have to go with the much less reliable PHP mail().
Regards