The inverse mask on your "deny" command line is the problem.
144.85.15.0 with inverse mask 0.0.0.128 (binary of the last octet in the mask is 1000 0000) only denies when the last octet of the IP address is .0 (0000 0000 in binary) or .128 (1000 0000 in binary). Because the inverse mask doesnt care about the left-most bit in that last octet, but it IS interested in matching all the other bits. It could be a typo on the inverse mask, Ive done that before. Anyway, that's why the .49 address is getting through.
144.85.15.0 with inverse mask 0.0.0.127 (binary of the last octet in the mask is 0111 1111) would deny when the last octet of the IP address is anything from .0 (0000 0000 in binary) through .127 (0111 1111), inclusive. Because the mask cares about the left-most bit in that last octet, but doesnt care about the rest of the bits in that octet. This would block the .49 host.
If you wanted to block only hosts .128 through .255, then you would have to change the 144.85.15.0 to 144.85.15.128 with inverse mask 0.0.0.127.
144.85.15.0 with inverse mask 0.0.0.255 would block hosts from .0 through .255.
Generally speaking, inverse masks usually end with an odd number in the last octet (.1, .3, .7, .15, .31, .63, .127, or .255); regular subnet masks usually end with an even number (.254, .252, .248, .240, .224, .192, .128, or .0).
When a regular subnet mask ends with an odd number (.255, to be specific), its probably referring to a single host IP address.
Hope this helps.