I came across a website with canonical tags setup on all of their pages and they were pointing to a spam site. I suspect someone hacked in and changed the canonical tags to siphon link juice. Now that cross cross-domain canonical tags are supported I would not be surprised if this becomes more common.
The canonical tag is a small line of code that is easy to overlook despite its large implications.
I'm running an experiment to try to exploit Rel-canonical in the <body>, and, consistent with Matt's statement, it doesn't seem to work (even on the same domain). The comment about a a bad <head> (unclosed or doubling-up) may be worth testing, but I think Google is pretty good about ignoring secondary <head> sections.
On the other hand, every experience I've had with Rel-canonical suggest that it's VERY powerful and much more than just a suggestion. Even cross-domain canonicals seem to be working much more often than I would've originally expected.
I was recently involved in cleaning up several sites on a hacked server - and much to my surprise I found the canonical tag hacked in just this manner. It was a Joomla site, and the actual Joomla template had been modified by the hacker.
The only way I noticed it was that I had a FireFox plugin (SearchStatus) that I was experimenting with. It places a "C" icon in the location (right next to the RSS icon) and I'd never noticed it before. I clicked on it a was taken to the hacker's spam site.