What's Directory Harvest Attack?

They are the most sophisticated email address harvesting attack that I have come across. And this method is also being used more and more by spammers. To understand how a spammer or list broker can harvest your email address directory, consider the basics of how email gets delivered. Before the SMTP protocol can deliver email to a server, it must first check to see if the delivery address is valid. It does this by sending a "delivery attempt" request. This request essentially asks, "Does this email address exist, and can I deliver mail to it?”.
An open source or stand alone Mail Transfer Agent (MTA) typically responds to delivery attempt requests with a synchronous "yes" or "no". If the response is "no", the sending server gets an SMTP 550 error message since the address is invalid and mail for that address cannot be delivered. If the sending server gets a "yes", it knows the address is valid and a message can be delivered. Spammers can exploit this simple functionality to probe your email servers and harvest legitimate email addresses from your server.
But won’t this be detected by an Intrusion Detection System, when someone is trying many (in hundreds of thousands) requests before mapping your entire email directory. It should if the spammer is tried & failed form the same IP for certain number of time. But most IDS don’t detect attacks because typically spammers don't attack any given domain for more than a few minutes and use brief blasts of a few hundred or thousand address requests from a shifting array of IP addresses which enables them over time to map an entire email directory.