If someone is doing that, you're in the realm of targeted attacks instead of scans, which is outside the scope of my original comment. It's similar to someone monitoring your traffic; as I already said, if that's the case you need more anyways.
Security is not choose your own buffet where you get to only think about scans but ignore other common attack vectors. Botnets are common enough that targeted attacks like I described are just as common as scans, so you always need more anyway.
Configuring your host to return 404 on invalid subdomains is just not a general solution, at best it just buys you some time until attackers find the subdomain, ie. kicking the can down the road, like I originally said.
No, I'm saying that's one of many behaviours. They mine domains and URLs scraped from email addresses, email headers and bodies, online content, and more. Your site is not "secure" when that security can be circumvented by someone pasting a URL into an email.
