Directory Harvesting attacks and Detection
Directory harvesting is when a variety of email addresses are sent to an email server in the hope that these addresses are valid. The responses are noted in order to find valid email addresses. These recipient addresses are then either sold on or used for malicious purposes. Most email firewall servers have the ability to detect directory harvesting attacks and block the attack.
Strategies to detect and stop such an attack are when the spam firewall can put a threshold on number of invalid recipients per SMTP connection. It can also be detected in the number of RSET commands per SMTP connection. So if your spam filter is executing the reset command after analysing recipient addresses so many number of times from the same connection because it is invalid; this is another symptom it may be a directory harvesting attack.
In both circumstances above, thresholds can be set. So if the threshold is 5, and a spam firewall receives more than 5 invalid recipients from one connection, it will close the connection, though blocking it from any more attempts.
Wikipedia's guide to Directory Harvesting Attacks