I still don't see how this is working, unless all routers on the way implement connection tracking (which is certainly not the case).
So, they send out a spoofed package using a 44 address as origin and then what? The reply will never get back to them. Instead it will be routed to the proper real 44 endpoint, either directly for BGP-ed subnets, or via 44.0.0.1, to no end result.
That is why I rather suspect some network using internal 44 addresses as "private" IPs, overlap our net and sometimes leak out via a non source-filtered ISP.
I think that is not a legitimate use but an attack group that spoofs sender addresses when sending their attacks and they use net-44 addresses as well. To have that go down, more ISPs should implement BCP38 (source address filtering).