It's true that for some mail servers that are poorly configured, you can use SMTP to get lists of user names. The commands you're probably interested in are VRFY and EXPN. Take a look at RFC 821 for more information. This is becoming less of a problem now because most MTAs can easily be configured not to allow these commands to be used. Most spammers are use other ways to get email addresses like crawling web sites.

Sendmail and other programs like that are sometimes vulnerable for attackers to steal accounts from. As far as going about doing this it would require some extensive work to do. Of course all of this is just my personel knowledge and I don't know if it's totally accurate. My suggestion would be to do some research on the internet.
As for "extensive work" you can do this via telnet or automate it with a script so it's not exactly rocket science. It's just a matter of finding a mail server that allows these commands.